With clickjacking worms becoming an increasing problem on
Facebook, a study by IT security and data protection firm Sophos
has revealed that 95% of those polled do not believe that Facebook
is doing enough to stop them.
The attacks, dubbed 'likejacking' by Sophos, exploit the 'Like'
button facility by automatically updating a user's Facebook page to
say that they 'like' a third-party webpage. This update is
automatically shared with the user's Facebook friends via the
website's newsfeed, helping the attacks to spread rapidly across
the social network.
Yesterday, the latest widespread attack struck Facebook users,
tricking them into 'liking' a webpage entitled
'101 Hottest Women in the World' with a picture of Jessica
Alba. Sophos conducted a poll of 600 internet users asking: "Do you
think Facebook is doing enough to stop clickjacking worms?" Of
those polled, 95% voted no, emphasising the urgent need for
Facebook to fix the problem.
Although the attacks are yet to deliver malicious payloads, they
demonstrate an exploitable weakness in the way that Facebook works,
putting users at potential risk from further malware or phishing
attacks.
"Facebook clearly hasn't been security-conscious enough in the
implementation of its social 'like' plugin. This leaves the system
open to abuse by spammers and scammers, and exposes users to the
risk of outside threats," said Graham
Cluley, senior technology consultant at Sophos. "One solution
would be for Facebook to implement ways for members to make a more
conscious decision as to whether they want to 'Like' third party
content or not. By having a pop-up box asking whether users are
sure they want to 'Like' a particular page, or offering the option
to disable the third-party 'like' feature entirely, the spread of
these attacks would be much easier to control."
"What's clear is that Facebook needs to set up a proper
early-warning system to alert users about breaking threats. It
seems wrong that the only place where Facebook users can read about
the latest attacks is on the pages run by security vendors on
Facebook, rather than Facebook's own security pages," continued
Cluley.
Sophos has its own Facebook group,
which warns of emerging threats on the site.
Note: Please bear in mind that this
poll is not scientific and is provided for information purposes
only. Sophos makes no guarantees about the accuracy of the results
other than that they reflect the choices of the users who
participated.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.