CLOUD SECURITY VENDOR Zscaler has released a free browser extension to protect Facebook users against clickjacking attacks that make them 'like' web pages without their knowledge.
Clickjacking attacks, also known as user interface redressing, employ legitimate web programming techniques to hijack users' clicks and use them to perform unauthorised actions.
For example, CSS can be used to overlap two buttons and make the top one transparent. Users will only see the visible one at the bottom, but if they click it they press the hidden button.
Clickjacking attacks work on all web browsers and because they abuse legitimate features they are very hard to block without breaking content.
Facebook scammers have long been using this technique to trick users into liking rogue pages. Because of this, such attacks are usually referred to as 'likejacking'.
One of the most popular scams involves luring users to web pages that promise interesting videos. These display web video player controls, but when users try to press play, they actually click on a hidden 'like' button.
Zscaler's new likejacking prevention extension works on Firefox, Chrome and Safari and consists of two components. One notifies users if a page contains hidden Facebook widgets and the other protects users from accidentally clicking on them.
The extension displays an icon next to the URL in the address bar on Firefox and Chrome, and a toolbar on Safari, if the active page contains Facebook widgets. The icon's background is red if the widgets are hidden and green if they are visible.
Once informed, users can decide what actions to take. They can whitelist the domain or force the hidden widgets to be displayed.
As far as protection goes, the extension provides three levels users can choose from. The most restrictive one blocks all Facebook widgets except on whitelisted pages, the medium level requires explicit confirmation when a widget is clicked on and the third setting asks for confirmation only for suspicious widgets.
"The extension does not affect the ability to use the main Facebook site; it protects users only on other sites that use widgets from Facebook," explained Julien Sobrier, a senior Zscaler security researcher.
"Some Facebook widgets are hidden by design. This is normal, and the extension will not list them as suspicious and will not apply any protection on those," he added. µ