back to article Facebookers hit with steamy clickjacking exploit

Facebook administrators have blocked a clickjacking exploit that displayed images of a scantily clad woman on profile pages without first prompting the user for permission. The attack began when a victim encountered the image of the near-naked woman on a friend's profile page along with the words "Want 2 C something hot? Click …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    FAIL

    Not just this.

    This hasn't been the only clickjacking on facebook of late, another being a "free copy of assassin's creed 2" being posted on many people's feeds.

    You click it, it takes you to an advertising page where you are to click a button on the picture of the XBOX 360 to turn the XBOX on. Where upon it posts the same advert you clicked from facebook on your feed.

    Complete negligence on Facebok's part.

  2. Kanhef
    Boffin

    Possible solution

    It should be possible to make browsers detect this sort of exploit. Make a copy of the page and simulate a mouse click on every link to see where it would actually go. Display a warning if that's different from the link on the page, or where using keyboard navigation would go. Just scrutinizing every use of 'onclick' should catch a lot of them.

  3. Mr Ian

    @Kanhef

    I think Firefox's NoScript addon detects clickjacking quite effecively. So it's definitely detectable, and has saved me a few times as well.

  4. Winkypop Silver badge
    Coat

    Your facebook

    Your arse, what's the difference?

  5. Simpson

    Fixed?

    "We’ve blocked the URL"...

    Sounds like quite the solution.

    A response of "we've blocked 1 IP out of 4 billion" would have been pretty lame. But "we’ve blocked one URL out of * ", is just plain funny.

    I feel bad for all of the <strike>web 2.0</strike> High School 2.0 users out there.

  6. Anonymous Coward
    Anonymous Coward

    Those who wish to safely see something hot

    can find it in all its probably NSFW glory here:

    http://fitzgerald.blog.avg.com/2009/11/new-facebook-worm-dont-click-da-button-baby.html

    This comment provided as a public service for nudity-starved commentards.

  7. Mike Bell
    Stop

    @Possible Solution

    Buy Now? I don't think so.

  8. lpopman
    Coat

    @Winkypop

    let me fix that for you:

    your arsebook, what's the difference?

    much better ;)

This topic is closed for new posts.