Clickjacking is a difficult problem.....several researchers speculated on the ramifications for other sites, such as Facebook.Read the full article from Social Hacking here
...Authorizing a Facebook application requires only a single click....All of the following actions can be mistakenly performed by a user simply clicking a link or button on an innocent-looking page via clickjacking:
This list is not simply theoretical – I did some simple testing to make sure that each of these attacks worked. I also would not pretend that my list is exhaustive, and I would welcome any additions from other researchers.
- Authorize a malicious application. This can happen regardless of any privacy settings. On authorization, an application can immediately access your profile information, your photos, your posted links, your notes, your status updates, etc. It can also send notifications to your profile, send notifications to other people (anonymously or from you), and post feed stories to your wall, all with links included. Note that under default privacy settings, an application can access most of your data if a friend of yours falls prey to this type of attack.
- Authorize a legitimate application with a cross-site scripting exploit. Most applications vulnerable to such an attack allow for clickjacking installs, where a single click authorizes the application and then forwards a user to an infected application page. That landing page can then execute any of the actions listed above for a malicious application. Note that if a friend falls for this attack and you have authorized the application, all of your data is vulnerable as well.
- Post a link to your profile. This is possible by applying clickjacking to several Facebook pages used for sharing content. A custom title and description can be set for the link. Other content, such as a Flash video, can also be posted this way.
- Publish a feed story from a malicious application. Note that this can work regardless of whether you have authorized the application. Applications may publish feed stories prior without authorization by a single click, though this does not grant them access to a user’s data. The feed story may include images, descriptive text, and links. The application can also pre-populate the user’s comments on the story, which would then be submitted upon execution of the clickjacking attack.
- Send a message to another user. The recipient, subject, and message content, including links, can all be pre-populated. This no longer gives the recipient more access to data than usual, but could still be easily used to spread malware.
- Send a friend request to another user. This means that a victim could unknowingly send a friend request to a malicious attacker’s profile, and the attacker would simply need to approve the request to gain access to everything on a user’s profile that their friends can access by default.
- Harvest a user’s post_form_id. Those familiar with Facebook’s code will realize how serious this issue is. However, exploiting a post_form_id also requires knowing a user’s Facebook ID, and so far this attack does not provide the latter.
I hope this list will help raise awareness of the potential dangers of clickjacking.
- The powerful online voice of jihad found on Facebook
- Hacked Facebook Apps Lead to Fake Antivirus Software
- 150,000 People Lose Facebook Accounts Due to Continued Technical Issues, Glitches
- Security Risks: The Dangers of Clickjacking with Facebook
- More Security Concerns at Facebook: Applications at risk from attack
- More Privacy Issues: Facebook Hit With Another Beacon Lawsuit
- More Technical Problems at Facebook: Database outage cuts off about 150,000 members for nearly 2 weeks
- Facebook is gold for identity thieves
- Too much information? Facebook users may be revealing more than they think
- Should teachers be friends with their students on Facebook?
- Jewish Tribune: Facebook takes down activist who fights antisemitism, terror
- Zuckerberg: No need for Facebook to be proactive on antisemitism
- Facebook digs through user data
- Facebook Makes Deal to Pester Users With Polls and Hand Data to Nielson
- Holocaust Denial on Facebook is Just the Tip of the Iceberg
- Feeling Safe with Your Real Information Posted on Facebook? REPORT: Hezbollah Spying Through Facebook
- JIDF Account Deactivated Again
- Federal Government Cracks Down on Facebook Fan Pages
- FBI warns of social networking fraud and malware escalation on Facebook
- Today's disgruntled Facebook employee could be tomorrow's identity thief, or just someone who has the power to make your life miserable
- SUCCESS!!! JIDF TAKES OUT MASSIVE "HATE ISRAEL" FAN PAGE WITH OVER 122,000 FANS!
- New status update of the "Hate Israel" fan page: "i killed half the jews and left the other half for you to discover why i killed the first" [hitler]
- Facebook Censors Martin Scorsese and Robert DeNiro, but not Hamas and Hezbollah
- (Video) FOX NEWS Covers More Issues at Facebook
- 100 New Antisemitic/Pro-Jihadist Facebook Groups
- 40 New Hate/Terrorist Groups on Facebook
- Top 20 Newest and Most Active Terrorist and Antisemitic Groups on Facebook
- JIDF Guide to Facebook Groups
- Regarding material on Facebook
- Mujahideen Groups on Facebook
- Hezbollah: Swapping MP3's on Facebook
- Small Sampling of This Week's Terrorist Activity on Facebook
- JIDF Pride
- Thousands Use Facebook to Celebrate Terrorist Attack Today
- Facebook Endorses Hamas?
- A Terrorist Group Planning and Calling for the Bombing of Egyptian Border (on Facebook!)
- Oboler: The Rise and Fall of a Facebook Hate Group
- JIDF Letter to Facebook Regarding Illegal Content