Facebook Users Can Be Forced into Liking Arbitrary Pages

[Peaches]

Facebook Users Can Be Forced into Liking Arbitrary Pages

Like button vulnerable to clickjacking attack

A security researcher has discovered a vulnerability which can be used to force Facebook users into liking arbitrary pages. The type of attack is known as clickjacking and does not require any form of user confirmation.

The Facebook “Like” button allows users to share content they find interesting on the Web. The feature is meant to allow users with similar interests to easily find and connect to each other on the social networking website. The button can be integrated by webmasters into any page on their website via a special IFrame.

The bug was discovered by a 21-year-old student named Eric Kerr who documented it on his blog. Successful exploitation results in arbitrary content being added to the user's Facebook News Feed, and at the time of writing this article the flaw was still active.

Kerr explains that a bug in the implementation allows potential attackers to trick users into Liking malicious pages without even knowing it. This can be accomplished by hiding the button on the page via CSS and attaching it under the mouse cursor using a bit of JavaScript.

Story - http://news.softpedia.com/news/Facebook-Users-Can-Be-Forced-into-Liking-Arbitrary-Pages-147531.shtml