Sophos Poll unearths Facebook's apparent loopholes to prevent Clickjacking attacks

Published Date
16 - Jun - 2010
| Last Updated
16 - Jun - 2010
 
Sophos Poll unearths Facebook's apparent loopholes to prevent Cli...

Sophos, an IT security and data protection firm, has reportedly revealed that, 95% of those who exercised their polling votes do not believe that Facebook is taking suitable measures to stop Clickjacking worms on Facebook.

The attacks quoted to be dubbed 'likejacking' by Sophos, are said to exploit the 'Like' button facility by automatically hijacking a user's Facebook page, to broadcast the update that they 'like' a third-party webpage. Apparently, this update is automatically shared with a user's Facebook friends via the website's newsfeed and catalysing the attacks to spread rapidly across the social network.

A couple of days back, it has been reported that the latest widespread attack struck Facebook users, hoodwinking them into 'liking' a webpage entitled '101 Hottest Women in the World' with a picture of Jessica Alba. In a shocking revelation, Sophos conducted a poll of 600 internet users asking: "Do you think Facebook is doing enough to stop clickjacking worms?". The poll results indicating that 95% of the poll contestants voted no, emphasizing the critical need for Facebook to fix the problem.

It has been deduced that, although the attacks have been on the milder side, the sources indicate that they demonstrate an exploitable loophole in the way that Facebook works, putting users at potential risk from further malware or phishing attacks.

Sharing his viewpoints on adopting suitable measures to tackle this menace, Graham Cluley, Senior Technology Consultant at Sophos, has reportedly stated, "Facebook clearly hasn't been security conscious enough in the implementation of its social 'like' plugin. This leaves the system open to abuse by spammers and scammers, and exposes users to the risk of outside threats. One solution would be for Facebook to implement ways for members to make a more conscious decision as to whether they want to 'Like' third party content or not. By having a pop-up box asking whether users are sure they want to 'Like' a particular page, or offering the option to disable the third-party 'Like' feature entirely, the spread of these attacks would be much easier to control."

Further stating that, "What's clear is that Facebook needs to set up a proper early warning system to alert users about breaking threats.  It seems wrong that the only place where Facebook users can read about the latest attacks is on the pages run by security vendors on Facebook, rather than Facebook's own security pages."

Sophos's Facebook group, has reportedly put up caution messages of emerging threats on Facebook, at the following link: http://www.facebook.com/pages/Sophos/28552295016 to caution users and help them curb the menace before its too late!

Vinod YalburgiVinod Yalburgi