A Polish security researcher today released details and proof-of-concept code that can be used to create a fully functioning Facebook worm. The code exploits a vulnerability within Facebook that would already be abused by spammers.

The vulnerability has to do with the mobile version of Facebook and specifically with the pop-up that appears on the screen when someone wants to share a message. According to the Polish researcher, who lives under the pseudonym Lasq, the desktop version has nothing to do with the problem.


According to Lasq, there is a click-jacking vulnerability within the window that can be abused via iframe elements. There is a group of spammers who, according to Lasq, found the vulnerability and also abused it to place links on people’s Facebook timelines.

On his site Lasq writes what was going on. Some of his friends suddenly shared a link to a French site with funny pictures. The link seemed to be hosted on an AWS bucket. When you click on the link, the site will appear, asking you in French if you are older than sixteen. If you then click on the button to confirm your age, you will be reduced to a page with a funny comic and the link will automatically appear on your timeline.

According to the researcher, this has to do with Facebook ignoring the X-Frame-Options security header for the mobile panel. This header should actually be used to prevent code from being loaded into iframes and is the main protection measure against clickjacking.

Facebook doesn’t do anything?

Lasq also writes that he has contacted Facebook. According to him, this did not solve the problem because there was no safety problem. They argued that before click-jacking can be seen as a security problem, the attacker must somehow be able to make changes to the account.

Since this is not possible, Facebook would have refused. The researcher doesn’t like it: this time it’s only abused for spam, but I can also imagine ways to use this technique in a more sophisticated way. Against ZDNet, a Facebook spokesman has let it be known that it was a deliberate choice to allow iframes, so that people can place Facebook windows on their sites. To help prevent abuse, we use systems that detect clickjacking.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.