Facebook: Clickjacking Bug Not Considered a Security Issue

A Polish security researcher, who goes by the Twitter name ‘Lasq’, has recently discovered an exploitable bug in Facebook’s mobile app and submitted through Facebook’s Bug Bounty platform the details of a spam campaign on the social media site. 

Lasq noticed the bug when some of his Facebook friends began publishing a malicious link to a website with funny pictures. But before seeing the site’s content, users had to declare first that they are at least 16 years old. After confirming their age, these users were redirected to a website with funny photos, a French-comic themed spam campaign, plus loads of ads.

By allowing consent, mislead users are also letting the link to be posted on their respective walls which then obviously exposes the link to more users, who will likely repeat the same process.

This is known as a clickjacking scam. It attempts to trick users into clicking on malicious links (something different from what the user perceives) hidden within legitimate-looking videos, images, and articles. This particular one works by loading a webpage into an invisible iFrame on a decoy site, and only works on mobile.

The method used by the spammer targets Facebook users in France using Android mobile. It doesn’t appear to work on the web version. The bug gives access to the Share button allowing the perpetrator to publish a link in the victim’s Timeline section without consent.

The issue still exists until today. Facebook, however, dismissed the report and didn’t address the problem since it doesn’t have any “serious security consequences” and that it does not change the state of the account of the affected user. It rejected Lasq’s report 12 hours after its submission.