Facebook is the biggest social network, and in spite of the controversy caused by the (lack of) privacy of information, it doesn’t stop growing. One of the easiest actions it enables is to say that you “like†something. Whe we are logged in this social network, just by clicking the corresponding icon you Express that you like a friend’s picture, a comment, an application…and you can also say that you like something without being in Facebook page. Many websites have added this feature, in such a way that you can say that you like something just with a click as long as you’re logged in Facebook. The best way to understand this is with an example; I’ve been playing for more than a year an online rol game about vampires called Blood Wars, which has nothing to do with Facebook. However, the option to say that you like it in Facebook has been added recently to the main site of the game:
When clicking this link, your Facebook page is automatically updated, indicating that you like Blood Wars:
That’s good, it’s easy for Facebook users, it’s great for the companies as people may talk about them or their products easily… Then, where is the problem? Well, we’re talking about websites, and with some simple javascript code, we can “corrupt†the original use that was given to this functionality. Imagine that I add to the PandaLabs blog an icon so that you can say that you like PandaLabs. You’ll think that you Facebook account will be updated with the information that you like Pandalabs. But, what if I’ve changed the code to “to know that he is dummy”? In Facebook, you’ll see the following text: “Luis likes to know that he is dummyâ€. Well, this is not so serious, it’s just a joke. We could make it more interesting, I could add a link promising that if you click on it, you’ll participate in the draw of an iPad, but instead THE TEXT I WANT will be displayed in Facebook 🙂
But let’s put ourselves in a cybercrook’s place, who is looking for money. They may want to win money by making you visit for example a website which contains advertisements. Or even worse, which distributes malware and we get infected by rogueware, Trojans, etc. For the moment we’ve not seen any case of malware distribution, but it’s just a matter of time. In the last weeks we’ve seen many cases which use baits like “101 Hottest Women in the Worldâ€, “Farmville†or “Sex & the City 2â€, promising us to access the content about the topic of the site, to watch a video, etc. and the only thing that happens is that it is being distributed by appearing in Facebook and making all the friends that follow the link fall into the trap.
My advice: be distrustful, don’t trust anything and disable javascript in your browsers 😉
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
10 comments
I see what you did there 😉
it’s insanely bold of you to even suggest users to turn of javascript, after just looking at your own blog page source code, you own page consist of a huge pile of javascript. And im sorry but almost 80% of the facebook GUI i built using javascript / ajax tech. i would say that the majority of the web uses Ajax(which consist of javascript). Javascript only allows limited access control over your browser. And it does not allow any other control than limited browser control. Your suggestion would actually sound like this “Turn off browser support to any of the sites you frequently visit”,
Maybe people should more carefull while surfing around when surfing for sex and the city etc… Turning of javascript is bollocks… You could ask the user to turn of the browser and stop using internet…. And what can javascript do? Not more harm then any other script out there.
just to point out my points: http://www.rwilliamson.net/wp/index.php/6-misconceptions-about-javascript/
Hi all,
I was kidding when I said to disable javascript, I’m afraid that adding the ” 😉 ” was not enough… my fault.
Of course, the right solution to this is just to change the behaviour in Facebook, for example by asking for confirmation before “liking” something.
no worries, just bothered me that one of the biggest norwegian e-newspaper took it quite serious. http://www.digi.no/845024/misbruk-av-facebook-kan-gi-god-fortjeneste , anyways. i do agree with you that changing behaviour would increases security. But sometimes the users “stupidity” does prevail.