T/S Ad Slant (What is this?)
The T/S Ad Slant, similar to an advertorial in a magazine or newspaper, is a form of paid advertising. Each T/S Ad Slant is written, edited, and produced by the advertiser with tools like those used by True/Slant contributors. Please contact advertise@trueslant.com for more information.
 
Sponsor Message

Jun. 10 2010 - 6:19 pm | 700 views | 0 recommendations | 0 comments

Facebook says you Like Justin Bieber – but you don’t, really!! How to avoid clickjacking

NYC signing September 1,2009 Nintendo Store - NYC

Image via Wikipedia

I’m not a Facebook liker of Justin Bieber. I mean, I know he is some teen singer, formerly the most trending topic on Twitter, and OK, I found out he’s Canadian… but I don’t care. I’d never Like him on Facebook. But if I get ‘clickjacked’, all my Facebook friends will think I do. How embarassing!

But, let’s be honest, that’s kid’s stuff… this is the Internet, I could end up sending some terrible, REALLY embarrassing things to all my friends.

Did you click a Like link this week on someone’s web page? Does Facebook say you did, but you don’t remember? You may have been PRANKED! Many Facebook users are becoming victims of the latest social engineering prank, “clickjacking”. And it might get worse.

If it was something like this link on LikeThisThing, eg: http://www.likethisthing.com/getting-drunk/ (Hey- be careful on that page, OK? Click on NOTHING!) then – were you a victim?

The site has no privacy policy and was only set up about a week ago by someone shy enough to hide their identity in their domain registration records. Yet, by using Facebook’s social plugins to allow you to Like “sleep” or “sex” or  “money”, the site developer gets the ability to access your Facebook id and post on your wall. What are they up to? And would you willingly click that Like button? Did you? Seems highly unlikely people would rationally click on several of the phrases on the site… so what’s going on?

What exactly is “clickjacking“? Essentially, it’s a way for a website developer to get you to click on something you never intended to click on, by overlaying a transparent layer on what you thought you were clicking on (usually something a lot more innocent, such as “Click here to continue”).

Why bother? Because the Facebook “Like” button, and many other social plugins such as the voting buttons to the right of this post, are designed as iframes, little web windows from, say, Trueslant.com into Facebook.com or Reddit.com. When you click on the Facebook Share button, you’re interacting with Facebook.com and not True/Slant. If you’re logged in to Facebook, the Share button will generate a Facebook Share. And if someone engineered a page with what looks like a link to a video, or another page, but placed over that link a transparent iframe to Facebook’s Like button, then your action will generate a click to Facebook. Facebook assumes you intended to click “Like” and immediately registers the Like, which you might not be aware of. And Facebook has no way to know you didn’t take that action willingly.

The benefit to the culprits is getting their page exposed to your friends via your wall post; from there, your friends also help spread the attack as they follow the link to the offending website. Combine clickjacking with sketchy sites – such as the one above – and you have viral embarrassment! (And someone has a chuckle, or worse… they trigger a Paypal payment or an Amazon.com purchase)

Part of this problem is Facebook’s attempt to dominate the online world. Placing their Like button on other websites is a big part of it. And that Like button needs to behave, on those sites, just as it behaves on Facebook – by instantly updating, no fancy pop-up dialog to confirm the action. But that removes the one obstacle to clickjacking and is what makes this attack so easy.

If you’re browsing with Firefox and use the popular NoScript plugin, then you will usually be protected from these attempts. You’ll usually get warnings about such clickjacking attempts. (And a few false alarms, because the NoScript software is a bit sensitive). But users of other browsers, including  Internet Explorer and Safari, have (to my knowledge) no similar protection from these “social engineering” attacks. And the attacks might get more harmful than just egg on your face.

The social networking and plugin providing websites – such as Facebook, Digg, and Reddit – will likely need to make changes to how their plugins work. For example, the Facebook Share button always brings up a confirmation dialog, from which you can cancel. But the new Facebook Like button has no such dialog – maybe Facebook needs one? I think it does, even if it changes the user’s experience.

In the meantime, it may be worth putting on a tinfoil hat, and using a browser with some clickjacking protection, to avoid these exploits.


Comments

No Comments Yet
Post your comment »
 
Log in for notification options
Comments RSS
 

Post Your Comment

You must be logged in to post a comment

Log in with your True/Slant account.

Previously logged in with Facebook?

Create an account to join True/Slant now.

Facebook users:
Create T/S account with Facebook
 

About

webtrends
Webtrends is a customer intelligence company that turns data into understanding. Founders of the web analytics industry in 1993, we crunch the numbers our customers care about — on their web sites, blogs, SEM campaigns, you name it — to uncover business trends and competitive advantage. Our philosophy of Open Exchange guides the development of our technology and the way we run our business. We believe in the free flow of data among systems, transparency with our customers and collective problem solving with our partners. We succeed when our customers and partners do first.

See our profile »

Our Contributors

Robin CangieRobin Cangie
Followers: 28
Contributor Since: December 2009
Location:Portland, OR

Our Activity Feed