Updated Many Facebook users are being hit by further clickjacking attacks today, taking advantage of the social network’s “Like” facility.
The latest lure is a link which claims to point to a website containing a naked photo of Hayley Williams, the lead singer of the American rock band Paramore.
Affected profiles can be identified by seeing that the Facebook user has apparently “liked” a link:
Paramore n-a-k-ed photo leaked!
The fact that 21-year-old Hayley Williams has recently been the subject of much internet interest after a topless photo of her was leaked online, is only likely to fuel interest in the naked pictures promised by these links. But take care, because all may not be what it seems.
Clicking on the links takes Facebook users to a third-party website which displays a message saying:
Click here to continue if you are 18 years of age or above
What the hackers have actually done is very sneaky. They have hidden an invisible button under your mouse, so wherever you click on the website your mouse-press is hijacked. As a consequence, when you click with the mouse you’re also secretly clicking on a button which tells Facebook that you ‘like’ the webpage. This then gets published on your own Facebook page, and shared with your online friends, resulting in the link spreading virally.
Attacks like this can spread very very fast. Judging by the number of messages I’ve seen, thousands have already found it impossible to resist the idea of seeing the lead singer of Paramore naked and have fallen head-first into the “likejacking” trap.
This use of a clickjacking exploit to publish the same message (via an invisible iFrame) to the visiting user’s own Facebook page works in a similar fashion to the clickjacking attacks we saw earlier this week.