The Clickjacking Bug that Facebook Won’t Fix


A security professional exposed to a spam campaign on Facebook discovered the method used by the perpetrator and submitted a report through the company’s bug bounty program. The issue still exists because Faceboook dismissed it on on the grounds that it does not change the state of the account.

Proof-of-concept code demonstrates how easy it would be for an app developer to distribute arbitrary links over Facebook.

Spam campaign piques interest

The expert started to analyze the spam campaign after noticing that many of their friends published a link to a website with funny pictures. Before reaching the chucklesome content, users had to declare that they were at least 16 years old.

Read more…