Researcher publishes proof-of-concept code for creating Facebook worm

[silversurfer]

A Polish security researcher has published today details and proof-of-concept code that could be used for creating a fully functional Facebook worm.

This code exploits a vulnerability in the Facebook platform that the researcher --who goes online under the pseudonym of Lasq-- has seen being abused in the wild by a Facebook spammer group.

The vulnerability resides in the mobile version of the Facebook sharing dialog/popup. The desktop version is not affected.

Lasq says that a clickjacking vulnerability exists in this mobile sharing dialog that an attacker can exploit through iframe elements. The spammer group who appears to have found this issue before Lasq has been (ab)using this vulnerability to post links on people's Facebook walls.

Contacted by ZDNet, Facebook played down the issue, as they did with Lasq.

"We appreciate the researcher's report and the time he put into working on this," said a Facebook spokesperson. "We built the current ability for the mobile social plugin/share dialog to be iframed to enable people to have integrated Facebook sharing experiences on 3rd party websites."

"To help prevent abuse, we use clickjacking detection systems for any iframeable plugin product. We continuously improve these systems based on signals we observe," Facebook told us. "Independently of this report, earlier this week we made improvements to our clickjacking detections that mitigate the risks described in the researcher's report."

Source: https://www.zdnet.com/article/researcher...book-worm/