Researcher posted an example of a working worm code for Facebook

One group is already abusing this problem by placing spam on users' walls.

In late December, a Polish security researcher published details and an example of a working code that you can use to create a worm with all the necessary capabilities for Facebook.

This code exploits the vulnerability of the Facebook platform, the abuse of which by a group of spammers was observed by a Polish researcher who uses the Internet alias Lasq . The vulnerability is hidden in the mobile version of the pop-up dialogue, offering to share information with other users. There is no vulnerability on the desktop.
')
Lasq says that a clickjack based vulnerability exists in the mobile version of the share dialog that the attacker uses through the iframe elements. The group of spammers, which, apparently, discovered this vulnerability before Lasq, uses it to place links on the walls of Facebook users.

As explained Lasq :

Yesterday, a very annoying spam campaign took place on Facebook, during which many of my friends published a link that opened the AWS website. It was some kind of French comic book website - so who wouldn't click on this link?
And after clicking on the link, a site appeared posted on AWS. He asked you to confirm that you are over 16 years old (in French) in order to gain access to the content. After clicking on the button, you really were sent to a page with a comic book and a bunch of ads. But at the same time, the link that you followed appeared on your Facebook wall.

The researcher said that he got to the bottom of the problem, and it is that Facebook ignores the X-Frame-Options header in the share dialog in the mobile version. According to the web industry-approved MDN documentation , this header is used by sites to prevent their code from loading inside the iframe, and is the main protection against clickjacking.

Lasq said it had reported this issue on Facebook, but the company refused to correct it.

“As expected, Facebook didn't consider this a problem, despite the fact that I was trying to explain what security implications it has,” he said. “They said that in order to consider clickjacking a security problem, the attacker should be able to change the account status (for example, disable security settings or delete the account).”

“In my opinion, they should fix this,” the researcher added. - As you can see, it will be extremely easy for an attacker to overuse this “feature” by deceiving people into sharing something on the wall. It is impossible to exaggerate the danger of such a possibility. Today it is used for spam, but I can easily imagine more complex uses of this technology. ”

The researcher claims that this technique allows attackers to create self-propagating messages containing links to malicious or phishing sites.

In response to the appeal of ZDNet, Facebook said they did not see this as a problem, as was the case with Lasq.

“We are grateful for the information received from this researcher, and at the moment we have begun work on this issue,” a Facebook representative said. “We have built in the possibility of a mobile version of the share dialogue in the iframe so that people can use it on third-party websites.”

“To prevent abuse of this function, we use clickjack detection systems for all products embedded in the iframe. We are constantly improving these systems based on the signals we receive, they told us on Facebook. “Regardless of this report, this week we have already improved the clickjacking detection system, which negates the risks described in the researcher’s report.”

The code from Lasq did not contain the part related directly to clickjacking, which places messages on users' walls, but a simple Internet search will give any attacker all the details and an example of the code needed to create it and add it to the published example. The code from Lasq allows an attacker to download and run third-party unauthorized code in a Facebook user account.