PoC for Facebook Worm: A Polish security researcher today published a PoC that could be used to create a fully functional Facebook worm.
The code exploits a security hole in Facebook's platform. The researcher who uses alias Lasq, discovered the vulnerability when he noticed it was being used by spammers on Facebook.
The vulnerability is in the mobile application version. The computer version is unaffected.
Lasq reports that vulnerability allows clickjacking and that an attacker can exploit it through iframes.
Yesterday I noticed a very annoying SPAM campaign on Facebook, where many of my friends posted a link to a site hosted on an AWS bucket. There was also a link to a French site with funny comic books.
Once you clicked on the link, the page hosted on the AWS bucket was displayed, asking you to verify that you are 16 years old or older (in French) to access the content. Once you clicked the button, your page was promoted to a funny comic (and many ads) page. However, in the meantime the same link you just pressed automatically posted on your Facebook wall.
The researcher watched the subject and noticed that he was completely oblivious to it header security “X-Frame-Options.” This header is used by websites to prevent page code from loading through iframes and is a primary defense against clickjacking attacks.
Lasq said he announced the problem on Facebook, but the company refused to correct it. So he decided to publish the PoC.
Lasq's code doesn't include the clickjacking part, the one that posts content to victims' walls, but if you're interested and want to find it, it's on thenetwork with a simple search. Ο κώδικας του Lasq επιτρέπει μόνο σε έναν εισβολέα να φορτώσει και να εκτελέσει μη εξουσιοδοτημένο κώδικα σε κάποιο λογαριασμό χρήστη του Facebook.
___________
- Old Messages in Facebook return randomly to users
- LibreOffice 6.1.4 New Release from Document Foundation
- Facebook Research by DPC for leaked photos
- Facebook two-factor authentication without phone number
