We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Sophos: Facebook failing to tackle likejacking

95% of web users agree

More than four in five (95 percent) of web users believe Facebook isn't doing enough to protect social networkers against 'likejacking' attacks, says Sophos.

Likejacking attacks are clickjacking scams that exploit Facebook's 'like' button. The attack automatically updates a user's profile to say they 'like' a specific page on the social network.

This is then shared with other Facebook users via the news feed, and any of the friends that click on the link will be subject to the same fate.

There have been a number of likejacking attacks on the site recently, including third-party pages entitled 'The Prom Dress That Got This Girl Suspended from School', 'This man takes a picture of himself EVERY DAY for 8 years!' and most recently, '101 Hottest Women in the World' which was accompanied by a picture of Jessica Alba.

Sophos said that while the attacks are yet to deliver malicious payloads, they demonstrate an exploitable weakness in the way that Facebook works, putting users at potential risk from further malware or phishing attacks.

"Facebook clearly hasn't been security-conscious enough in the implementation of its social 'like' plugin. This leaves the system open to abuse by spammers and scammers, and exposes users to the risk of outside threats," said Graham Cluley, senior technology consultant at Sophos.

Cluely suggested one solution would be for Facebook to implement ways for members to make a more conscious decision as to whether they want to 'Like' third party content or not.

"By having a pop-up box asking whether users are sure they want to 'Like' a particular page, or offering the option to disable the third-party 'like' feature entirely, the spread of these attacks would be much easier to control," he said.

"What's clear is that Facebook needs to set up a proper early-warning system to alert users about breaking threats. It seems wrong that the only place where Facebook users can read about the latest attacks is on the pages run by security vendors on Facebook, rather than Facebook's own security pages."

See also: Facebook poses mobile working 'security threat'

IDG UK Sites

Best camera phone of 2015: iPhone 6 Plus vs LG G4 vs Galaxy S6 vs One M9 vs Nexus 6

IDG UK Sites

In defence of BlackBerrys

IDG UK Sites

Why we should reserve judgement on Apple ditching Helvetica in OS X/iOS for the Apple Watch's San...

IDG UK Sites

Retina 3.3GHz iMac 27in preview: Apple cuts £400 of price of Retina iMac with new model