In the past times the tabs which could endure added to these pages bring been ready inwards ii ways; the get-go used the Facebook FBML app. This allowed page tabs to endure created using static Facebook Markup Language (FBML) or HTML, it wasn’t specially engaging but it was really elementary to use. The minute method for creating page tabs was past times adding a custom Facebook app within a measure FBML tab. This meant the custom app could asking external information from a 3rd political party as well as display it within the page tab. This content though was dependent plain to many technical limitations, equally it was all proxied through Facebook which broke many things including tracking pixels, JavaScript as well as Flash.
So what is the big change? Well Facebook at nowadays let iframes to endure included within Facebook apps on page tabs, pregnant that all that Facebook proxying tin hand the sack endure avoided. While this is no doubtfulness corking tidings for legitimate developers it volition undoubtedly build life for those amongst malicious intent much easier too.
It is at nowadays possible to ready a Facebook page, exercise a default landing tab (the 1 yous get-go run into when yous view the page) as well as include an app that contains an iframe. That iframe tin hand the sack for event incorporate JavaScript which right away as well as without user interaction redirects yous to whatever site it chooses. Say for event a page containing Fake AV or a page where an exploit kit is waiting to silently infect yous amongst malware.
No to a greater extent than likejacking required, no to a greater extent than having to persuade users to install your app, if a criminal tin hand the sack build the bait sweetness plenty only to instruct yous to view the page, that is all they volition postulate to start the chain that leads to your figurer beingness compromised as well as used for criminal purposes.
Of course of report Facebook inquire their developers to concord to a code of ship that prohibits such activities, but when it comes to criminals, that’s a fleck similar taking a driving license away from a joyrider.
I bring informed Facebook of this oversight inwards their novel functionality as well as volition update this spider web log posting if I remove heed dorsum from them.
Thanks to Stig Edvartsen for his eagle-eyes as well as Heidi Obschil-Müller for the iframe
News Source : http://mcaf.ee/b81e2
Share This :
comment 0 Comments
more_vert