PoC for Facebook Worm: A Polish security researcher today published a PoC that could be used to creation of a fully functional Facebook worm.
The code exploits a security gap on the Facebook platform. The investigator using the Lasq alias discovered the vulnerability when he noticed that spammers used it on Facebook.
The vulnerability is in the mobile application version. The computer version is unaffected.
Lasq reports that vulnerability allows clickjacking and that an attacker can exploit it through iframes.
Yesterday I noticed a very annoying SPAM campaign on Facebook, where many of my friends posted a link to a site hosted on an AWS bucket. There was also a link to a French site with funny comic books.
After clicking on the link, the σελίδα που φιλοξενούνταν στο AWS bucket, και ζήτούσε να επαληθεύσετε αν είστε 16 ετών ή μεγαλύτερος (στα γαλλικά) για να αποκτήσετε πρόσβαση στο περιεχόμενο. Αφού κάνατε κλικ στο κουμπί, η σελίδα σας προωθούσε σε μια σελίδα με αστεία κόμικ (και πολλές διαφημίσεις). Ωστόσο, στο μεταξύ ο ίδιος σύνδεσμος που μόλις πατήσατε δημοσίευσε αυτόματα και στον τοίχο σας στο Facebook.
The researcher watched it theme and noticed that it completely ignored the security header “X-Frame-Options.” This header is used by websites to prevent page code from loading through iframes and is a primary defense against clickjacking attacks.
Lasq said he announced the problem on Facebook, but the company refused to correct it. So he decided to publish the PoC.
Lasq's code doesn't include the clickjacking part, the one that posts content to victims' walls, but if you're interested and want to find it it's at Internet with a simple search. Lasq's code only allows an attacker to load and execute unauthorized code on a Facebook user account.
___________
- Old Messages in Facebook return randomly to users
- LibreOffice 6.1.4 New Release from Document Foundation
- Facebook Research by DPC for leaked photos
- Facebook two-factor authentication without phone number
