PoC for Facebook Worm: A Polish security researcher today published a PoC that could be used to create a fully functional Facebook worm.
The code exploits a security gap on the Facebook platform. The researcher, who goes by the pseudonym Lasq, discovered the vulnerability when he noticed that it was being used Spammers on Facebook.
The vulnerability is in the mobile application version. The computer version is unaffected.
Lasq reports that vulnerability allows clickjacking and that an attacker can exploit it through iframes.
Yesterday I noticed a very annoying SPAM campaign on Facebook, where many of my friends posted a link to a site hosted on an AWS bucket. There was also a link to a French site with funny comic books.
After clicking the link, the page hosted on the AWS bucket appeared, asking you to verify that you are 16 or older (in French) to get access in the content. After clicking the button, the page forwarded you to a page with funny comics (and lots of ads). However, in the meantime the same link you just clicked has automatically posted to your Facebook wall as well.
The researcher followed the issue and noticed that he was completely unaware of the security header "X-Frame-Options." This header is used by websites to prevent page code from loading through iframes and is a primary protection against clickjacking attacks.
Lasq reported announcing the problem on Facebook, but the company refused to fix it. So he decided to publish the PoC.
Lasq's code does not include the part of clickjacking, which publishes content on the walls of the victims, but if you are interested and want to find it there is on the internet with a simple search. Lasq's code only allows an attacker to load and run unauthorized code on a Facebook user account.
___________
- Old Messages in Facebook return randomly to users
- LibreOffice 6.1.4 New Release from Document Foundation
- Facebook Research by DPC for leaked photos
- Facebook two-factor authentication without phone number