NEWS FROM THE LAB - Friday, July 1, 2011

Facebook Apps IFrame Flaw Used For Phishing Posted by Sean @ 18:59 GMT

Yesterday's post made note of a spammer that has figured out a way to embed his Cost Per Action (CPA) surveys into a Facebook application at apps.facebook.com.

An observant reader called Matthew wrote to inform us of a phishing attack that uses the very same technique.

The phisher's form fits seamlessly into facebook.com:

Account Security on Facebook

Fortunately, this still appears to be in the early stages, and the statistics indicate it isn't widespread.

Department of Facebook Security

Department of Facebook Security? Cute.

An IFrame on the app's page is the source of the problem:


Not the application.php page, but the app's page. (We're not sure what it's called… the page one ends up on if the "Go to App" button is clicked.)

The IFrame is loaded from a compromised website, which appears to be a clothing webshop, It's hosted in Indonesia.


We attempted to fill out the phishing form, at the source, with some bogus information, and got this prompt:

The password you entered is incorrect

The form appears to be testing the details when entered.

The website also discourages right-clicking.

Right click is not allowed on this page.

There doesn't appear to be much talk of this on Facebook. It could be that phishing links are being e-mailed to potential victims.

Here's the one example we found:

Security Warning From Facebook

Facebook introduced IFrames to applications several months ago. Trend's Rik Ferguson blogged about the issue in February.

David F. Carr at InformationWeek wrote Facebook iFrames: Good For Business, Bad For Security? on March 21st.

And now it looks as if the issue may finally need to be addressed. Hosting spam, phishing and malware on facebook.com via IFrames could quickly become a very serious headache.

We been in contact with Facebook' security team and they're looking into the issue.

Updated to add on July 4th: Facebook's security team blocked the apps shortly after we made contact with them.

Meanwhile, yesterday, Sophos "security chap" Graham Cluley blogged about additional versions.

  •  apps.facebook.com/account_suport_help/
  •  apps.facebook.com/account-disable-info/

Facebook has blocked these as well.


When we went to examine the "suport" URL, we accidentally typed two "p"s instead of one, and discovered yet another phishing app.

  •  apps.facebook.com/account_support_help/

The Facebook app is online, but the IFrame is obsolete, and the phishing site component is not active.

Could be more of these lurking about, take care.