Facebook says you Like Justin Bieber – but you don’t, really!! How to avoid clickjacking
I’m not a Facebook liker of Justin Bieber. I mean, I know he is some teen singer, formerly the most trending topic on Twitter, and OK, I found out he’s Canadian… but I don’t care. I’d never Like him on Facebook. But if I get ‘clickjacked’, all my Facebook friends will think I do. How embarassing!
But, let’s be honest, that’s kid’s stuff… this is the Internet, I could end up sending some terrible, REALLY embarrassing things to all my friends.
Did you click a Like link this week on someone’s web page? Does Facebook say you did, but you don’t remember? You may have been PRANKED! Many Facebook users are becoming victims of the latest social engineering prank, “clickjacking”. And it might get worse.
If it was something like this link on LikeThisThing, eg: http://www.likethisthing.com/getting-drunk/ (Hey- be careful on that page, OK? Click on NOTHING!) then – were you a victim?
What exactly is “clickjacking“? Essentially, it’s a way for a website developer to get you to click on something you never intended to click on, by overlaying a transparent layer on what you thought you were clicking on (usually something a lot more innocent, such as “Click here to continue”).
Why bother? Because the Facebook “Like” button, and many other social plugins such as the voting buttons to the right of this post, are designed as iframes, little web windows from, say, Trueslant.com into Facebook.com or Reddit.com. When you click on the Facebook Share button, you’re interacting with Facebook.com and not True/Slant. If you’re logged in to Facebook, the Share button will generate a Facebook Share. And if someone engineered a page with what looks like a link to a video, or another page, but placed over that link a transparent iframe to Facebook’s Like button, then your action will generate a click to Facebook. Facebook assumes you intended to click “Like” and immediately registers the Like, which you might not be aware of. And Facebook has no way to know you didn’t take that action willingly.
The benefit to the culprits is getting their page exposed to your friends via your wall post; from there, your friends also help spread the attack as they follow the link to the offending website. Combine clickjacking with sketchy sites – such as the one above – and you have viral embarrassment! (And someone has a chuckle, or worse… they trigger a Paypal payment or an Amazon.com purchase)
Part of this problem is Facebook’s attempt to dominate the online world. Placing their Like button on other websites is a big part of it. And that Like button needs to behave, on those sites, just as it behaves on Facebook – by instantly updating, no fancy pop-up dialog to confirm the action. But that removes the one obstacle to clickjacking and is what makes this attack so easy.
If you’re browsing with Firefox and use the popular NoScript plugin, then you will usually be protected from these attempts. You’ll usually get warnings about such clickjacking attempts. (And a few false alarms, because the NoScript software is a bit sensitive). But users of other browsers, including Internet Explorer and Safari, have (to my knowledge) no similar protection from these “social engineering” attacks. And the attacks might get more harmful than just egg on your face.
The social networking and plugin providing websites – such as Facebook, Digg, and Reddit – will likely need to make changes to how their plugins work. For example, the Facebook Share button always brings up a confirmation dialog, from which you can cancel. But the new Facebook Like button has no such dialog – maybe Facebook needs one? I think it does, even if it changes the user’s experience.
In the meantime, it may be worth putting on a tinfoil hat, and using a browser with some clickjacking protection, to avoid these exploits.