Just when you think things just couldn’t get any worse from a security sense for Facebook, a Polish cybersecurity research group went ahead and published a proof-of-concept code that could potentially be used to create a Facebook worm. A worm that, by the way, is fully functioning and is already making its rounds online.
According to the researcher – who goes by handle Lasq – the worm only seems to affect the mobile version of Facebook’s sharing dialog and popup. In other words, it’s a problem that is only active on both the Android and iOS ecosystem, and not the PC.
Lasq also specifies that the vulnerability seems to be of a clickjacking nature, and that hackers were exploiting the IFrame element of Facebook’s mobile sharing dialog. For context, an IFrame is a HTML document embedded that is embedded inside another HTML document.
Lasq said that he first came across the issue when several of his Facebook friends began “posting” a link to a French comic site. Hosted on an Amazon Web Services bucket. Upon clicking on the link, the site would then ask the Facebook user to verify their age in French.
Once verified, users were indeed redirected to the aforementioned comic. However, while they were reading the comic, the very same link would’ve simultaneously appeared on the person’s Facebook wall.
Naturally, Lasq has brought up the issue about the code to Facebook, only for the social network to turn him away. Citing that in order for the clickjacking nature to be considered a security issue, the code “must allow attacker to somehow change the state of the account.”
If there is a lesson to be learnt here, we’re guessing it’s not to simply click on any just any links posted on your friend’s Facebook wall. More so if the link’s verification method is of a dubious nature.