Facebook Don’t Consider Clickjacking Bug to be a Security Issue

A security researcher has used Facebook’s bug bounty program to provide details of a spam campaign on the social media site. The researcher demonstrated how the campaign works and allows an app developer to distribute arbitrary links on the site.

Facebook has not addressed the issue because they say it does not change the state of the account.

The security professional began to analyze the spam campaign when he noticed his Facebook friends began sharing a link to a website with funny pictures. When users clicked the link to go to the website, they were hit with a message asking them to declare that they were at least 16 years old.

After confirming their age to be older than 16, they were redirected to a website with funny photos, in addition to lots of ads. However, by confirming your age, you are actually also allowing the link you just clicked on to be posted on your wall on your behalf. This then obviously exposes the link to more users, who repeat the same process.

The attack has affected Android Facebook mobile app users in France and doesn’t appear to work on the browser version.

This is known as a clickjacking scam and works by loading a webpage into an invisible iFrame on a decoy site, and only works on mobile.

Facebook didn’t take long to respond to the expert’s report, but doesn’t consider the vulnerability to be a security issue, since it does not affect the account in terms of changing settings. However, for many security professionals in the field, this does seem like a security issue. In this case, it looks like the aim of the campaign is to increase visits to the site in order to expose more users to ads and make money from this. However, the same method could just as easily be used to spread a malware campaign.