Facebook: Foolishness, Gullibility, Social Engineering and Security
A foreword, no malicious software or intentions have been actioned during the research of investigations undertaken in this report.
The technique utilised has been explained however it has been grossly simplified but it is a very simple technique that can be replicated by anybody with basic knowledge of html and JavaScript.
The Issue
I was prompted to write this report and try to raise the awareness of this issue, primarily to my friends but also to anybody that is interested and I hope will take note of the advice and issues raised in this report.
So the first thing I saw was my friends “liking” a website called “Japan tsunami launches whale into building” that appeared to have a youtube video embedded.
So I asked my friends and none of them knew it was on their profile, saying that they had tried to visit it earlier and it had failed to load.
So here we are, with random websites being able to add data to your Facebook page to help socially engineer more visitors without your consent ? That’s a bit underhand!
When I first discovered this occurrence of a threat called “clickjacking” it was at approximatily 5,000 “likes” however within a few hours it was up to around 80,000.
That’s 80,000 people with it on their profiles who haven’t seen it and removed it.
Now i’m no expert in maths but the expansion was seeming to be exponential to me.
Although I had seen examples of this before I decided to finally look at how they work and how people can protect themselves.
Case Study
So my investigation started with looking at the ”Japan tsunami launches whale into building” website and a look at what Facebook allowed and didn’t allow on any externally “liked” website.
The most powerful tool a malicious coder can utilise is arguably the “iframe”, the ability to launch a website within a website (and in turn can also be made invisible).
This is what this website did, but Facebook didn’t allow iframes, so how does it do it ?
Well instead of using:
<iframe style……….></iframe>
which would be filtered out by Facebook
The website instead utilised:
document[‘writeln’](‘<i’ + ‘fr’ + ‘a’ + ‘me style=”width:100%; height:82’ + ‘0px; border:0px” scrolling=”no” border=”0” src=”wo’ + ‘w.ht’ + ‘ml”></if’ + ‘ra’ + ‘me>’);
To those that do not understand javascript and how it works, the basics are document[‘writeln’] will write the text specified when the webpage is loaded on the users’ computer, thus Facebook do not see it.
The ‘<i’ + ‘fr’ are combined into <ifr, this is then continued for the whole line making:
<iframe style=”width:100%; height:820px; border:0px; scrolling=”no” border=”0” src=”wow.html”></iframe>
So that allows the website owner to circumvent Facebook’s checks and thus on the new “wow.html” page they can run whatever code they want.
On the wow.html page a call to “http://www.facebook.com/plugins/like.php?herf=http://thewebsite.info”
This is the call that will put a “like” on the facebook page but you usually need to click “like”.
Instead of requiring the user to click “like” the code loads the “like” frame and selects it.
So the result, you now have a like on your Facebook wall from simply visiting a website, great security ey?
Investigation
4) My investigation
So in order to launch a new clickjacking threat and investigate the issues of what can only be described as “foolishness, gullibility or social engineering” I decided to enlist the help of M.Upjohn and we recreated the website.
My initial investigation started with looking at how the website operated and this can be broken down into the following steps:
1) You visit the webpage and see a fake youtube video page similiar to this one:
2) You naturally try and click “play”
3) The website launches an age verification step that requires you to fill in a survey (one they get paid for)
4) After you finish the survey, the video still doesn’t load.
5) Your profile now says that you have “liked” the page and now your friends think “oh i’ll view that it sounds cool” and the cycle begins.
So Myself and M.Upjohn programmed our own version titled “Inside the Japan nuclear plant that exploded” however removed any external links, external files and surveys in order to ensure that the website was not malicious and could not be made malicious in the future.
The site was then launched on kyrobill and within a matter of hours it was up to 36 “likes” and around 80 visitors.
Although this is a very small number it just shows that it does not take much to encourage people to view these sites and if it had been programmed to automatically “like” as opposed to requiring a “click” then this would of infected a lot more people.
Conclusions
After the initial investigation I undertook further investigations (which shall not be detailed publicly) and found it was possible to make someone “like” any website, not necessarily the one they were visiting.
Imagine the situation:
1) You visit a “like” titled “Look at this amazing footage of [insert event here]”
2) Your profile then get’s a “like” saying you “liked” the page. (No malicious harm done)
3) Now consider if it randomly made people “like” a website with the title “I really enjoy sex with [insert here]” (examples: my boss, my best mates girlfriend, chi…. yeah you see where it’s going by now)
- Imagine the impact of this ?
- Would it compromise your job ? your social life ? your physical life ?
- How can you prove you didn’t “like” that page? (simple answer, you can’t).
Consumers
My advice here splits into 3 key areas:
1) Think about what you are clicking on from Facebook, if the link is not a Facebook link (look at your address bar) then consider whether it might pose any risk. (although this is hard with the URL shortening services utilised) however do you really think that a friend of yours will have a link to a Whale being thrown inland by the Tsunami or internal imagery of the Nucelar power plant ?
2) Do you trust that your friend is safe with his/her browsing and keeps their Facebook profile clean?
3) Use NoScript if you’re using Firefox (unfortunately it’s not available on Chrome yet)
4) Keep an eye on your profile and if you spot that something new has posted without your permission then remove it straight away.
5) I would say point 5 should be “report it” but unfortunately there’s no systems in place to report this type of “clickjacking” yet.
Facebook need to look into how their “like” system works, and in turn how it is being abused to ensure that they do not impact on the security of peoples’ profiles whilst also allowing for their social networking that makes Facebook so popular and widespread.
One solution would be to pop up a box if the “like” has occurred on a website that is not appended with www.facebook.com, then allow the user to disable this pop-up box if they so wish.
Thanks
This project was made possible by the assistance of:
M.Upjohn - For assistance in sanity checking the investigation code.
C.Buckley - For supplying web hosting to test the investigation.
In closing, think about your security and review the options available to you within Facebook’s “Account Settings” and “Privacy Settings”.
Nathaniel Freeman
