A security professional exposed to a spam campaign on Facebook discovered the method used by the perpetrator and submitted a report through the company's bug bounty program. The issue still exists because Faceboook dismissed it on on the grounds that it does not change the state of the account.

Proof-of-concept code demonstrates how easy it would be for an app developer to distribute arbitrary links over Facebook.

Spam campaign piques interest

The expert started to analyze the spam campaign after noticing that many of their friends published a link to a website with funny pictures. Before reaching the chucklesome content, users had to declare that they were at least 16 years old.

"After you clicked on the button, you were indeed redirected to a page with funny comic (and a lot of ads). However in the meantime the same link you just clicked appeared on your Facebook wall," the security boffin says in a blog post today.

An iFrame tag in the source page raised suspicions and determined researcher to investigate. He found that the iFrame contained multiple links as well as a URL for sharing content on Facebook.

Suspicious iFrame

The method used by the spammer targeted mobile Facebook users in France and gave access to the Share dialog button allowing the perpetrator to publish a link in the victim's Timeline section without consent.

It looks like the web browser in Facebook app for Android ignores the X-Frame-Options response header, whose role is to tell the browser if it can load or not webpages in iFrames. On desktop browsers, though, the header responds as it should and denies loading the iFrame.

This type of attack is called clickjacking and it consists loading a web page into an invisible iFrame sitting atop the decoy site. All the user sees is the decoy, but the interaction is with objects on the invisible layer.

No bug here, move along

Trawling through Facebook's documentation, the expert found that a special parameter called "mobile_iframe" opens " the share dialog in an iframe on top of your website" when it is enabled. The feature is available only for mobile.

Facebook replied quickly to the report but did not address the problem because it considers that it isn't a security issue as long as it does not impact an account's integrity (e.g. changing settings), the researcher claims.

Nevertheless, the ability to distribute links on other users' Timeline without authorization is a serious problem and it can also be used to distribute links to malware instead of spam.

"Just imagine how much damage can a link to a malware document or a phishing site cause when shared by a well-known person with thousands of followers," the expert details.