A Polish Security Researcher who works under the name of
Lasq, found a malevolent spam campaign that spams the users' Facebook wall by
exploiting the vulnerability. The said vulnerability came into his notice after
he saw it repeatedly being abused by a Facebook spammer group.
The vulnerability as indicated by Lasq is known to reside in
the mobile version of the Facebook for the most part through popups while the
desktop version stays unaffected.
The link that is the root of all the spamming gives off an
impression of being facilitated in an Amazon Web Services (AWS) bucket and
diverts the user to a comic website, after they are requested to confirm their
ages in French. In any case, even after the user has tapped on the link and
done whatever it requested, it was still found to show up on the user's
Facebook wall.
At the point when Lasq researched about this issue he found
that the spammers were utilizing codes to abuse the IFrame component of
Facebook's mobile sharing dialog. He tested for it then with the popular
browsers, like the Chrome, Chromium, Edge, IE, Firefox and every other program
which displayed X-Edge-Options error and thusly published a blog post with the
technical subtleties. He suspected clickjacking.
Later he gathered that because Facebook had disregarded the
X-Edge-Options header for the mobile sharing discourse, the "age verification"
popup which displayed prior, skirted Facebook's system.
Lasq reached out to Facebook, yet shockingly they declined
to fix the issue contending that it is operating in as intended and the case
has been closed within 12 hours from an underlying report and clickjacking is
an issue just when an attacker some way or another alters the state of the
users' account.
On being reached by ZDNet, Facebook essentially stressed on
the part that they are consistently enhancing their "clickjacking
detection systems" to forestall spam.
