Wanna C Somthin' HOT!?? Click Da' Button, Baby!

A new Facebook clickjacking worm is doing the rounds. And this one's fiendishly clever. In IT Blogwatch, bloggers are wary of Greeks bearing gifts.

By Richi Jennings. November 24, 2009.

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention the telegraph killer...

Wanna C Somthin' HOT!?? Click Da' Button, Baby!

Gadi Evron is quietly impressed:

A new Facebook worm is making the rounds today, with a brilliant landing page that has already caused many infections. ... The worm automatically reposts itself on [users'] Facebook Walls so their friends will see and click on it. ... You see a picture of a model in lingerie looking back at you over her shoulder. To the side of the picture there is the simple text: "Wanna C Somthin' HOT!?? ... Click Da' Button, Baby!"


I have to admit mea culpa. I saw the worm being posted from a friend's page and didn't believe it to be dangerous because the lure is pretty cool. So I reposted it without thinking and went to visit the page. Immediately a second post appeared. ... Even experts can become complacent.

So Gadi told Nick FitzGerald:

How does this all work? Rather simple really and something Facebook needs to fix.


This worm uses what is technically known as a CSRF (Cross-site Request Forgery, also called XSRF) attack. A sequence of iframes on the exploit page call a sequence of other pages and scripts, eventually resulting in a form submission to Facebook "as if" the victim had submitted a URL for a wall post and clicked on the "Share" button to confirm the post.

But Facebook told Dan Goodin it's not a CSRF:

A spokesman for the social networking site disputed that explanation, saying the attack was really the result of clickjacking. ... Clickjacking is a vulnerability at the core of the web that allows webmasters to trick users into clicking on a link they didn't intend to. The exploits are pulled off by superimposing an invisible iframe over a button or link.


Virtually every website and browser is susceptible to the technique. ... This latest attack is a reminder that it's often impossible to know where a given link will lead, even for careful users.

Lucian Constantin tells us what that means:

Clickjacking is a growing concern amongst the infosec community and browser vendors have yet to completely address it. The technique is actually exploiting an architectural flaw at the core of the Web; therefore, it is difficult to mitigate without breaking other legit functionality.


Firefox users can protect themselves against most of these attacks by installing a popular security extension called NoScript. With Internet Explorer 8, Microsoft also introduced a directive called X-FRAME-OPTIONS that web developers can declare on their websites in order to counter clickjacking abuse. Unfortunately, this means that IE8 users have to rely on website owners to protect them.

Meanwhile, Robert "RSnake" Hansen laughs and laughs and laughs:

No, do not click that scandalous picture of that bikini clad girl… it’s just another example of Clickjacking in the wild. ... It’s called, funny enough the bikini worm. Just another great example of how defense just keeps getting harder for the good guys. If you aren’t vulnerable to CSRF, you’re vulnerable to XSS. If you aren’t vulnerable to XSS you’re vulnerable to clickjacking…

It’s just another great example of a combination of attacks, including my favorite - social engineering. The funniest part of this article is where Gadi admitted to finding the worm by way of clicking on it. Oh, Gadi… hahah!

So what's your take?
Get involved: leave a comment.

And finally...

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter, or richij on FriendFeed, pretend to be richij's friend on Facebook, or just use good old email: itblogwatch@richij.com.

Don't miss out on IT Blogwatch:

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Shop Tech Products at Amazon