A clickjacking worm spread quickly across Facebook earlier today, tricking users into posting it to their status updates.
The worm, which some have dubbed Fbhole because of the domain it points to, posts a message like the following:
try not to laugh xD http://www.fbhole.com/omg/allow.php?s=a&r=<random number>
Clicking on the link would display a fake error message that would trick you – through a clickjacking exploit – to invisibly push a button that would publish the same message to your own Facebook status update. We’ve seen clickjacking exploited by hackers before in attacks on social networks, for instance in the “Don’t click” attack seen on Twitter in early 2009.
The good news is that’s effectively it. Rather like the “Don’t click” Twitter attack, it appears that this latest Facebook security scare was more motivated out of mischief…
Read more in my article on the Naked Security website.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.