As if hacking into heart rate monitors, smart home systems, and iPhone cameras wasn’t enough, the hackers are going hook, line and social and are sabotaging your Facebook account.
The implications may not go straight to your bank account, although obviously the intention is to get there eventually, but it does go right to the core of our precious virtual life.
Social Media enthusiasts spend their idle time clicking or swiping on interesting articles or comical memes on Facebook without giving a thought of what they are linking to and if it poses a threat.
Initially, links to pages displayed within the post so you can identify where you are being led, encouraged scammers to edit and hide the title links. Facebook, back in 2007, countered, and removed the ability for Pages to edit the title, description, and thumbnail of a link, basically meaning that you can't be redirected to another website – it appears it isn’t enough.
Barak Tawily, a security researcher discovered a simple trick that hackers could use to spoof URLs by exploiting the mechanism that Facebook uses to fetch link previews. Basically, Facebook doesn't validate the link that it picks up from the Open Graph meta tags on their site.
Facebook currently uses a mechanism that it calls “Linkshim” which only checks each link against the company’s existing list of malicious sites.
When Tawily reported the issue to Facebook they refused to recognize this is a flaw that needs to be fixed. Obviously Tawily didn’t stop quite there and has taken it to the media.
So here is why this is dangerous.
Let’s say a Facebook user sees a link, thinks it’s reliable and clicks on it. They will then access a site that has malicious code (phishing campaigns, ads, click fraud pay-per-click) and potentially be hacked, have their identity stolen or bank accounts stripped, the potential is very much there.
Come on Facebook! Hackers are creative people! There is no way to manage a comprehensive list of malicious sites when new ones are coming online each and every virtual day.
What do you say to that Facebook?
Well, they actually utilize machine learning to identify new malicious pages never seen before, but hackers can get around those as well. They can display non-malicious content to a user depending on their IP address. The Social Media Giants response here is weak, to say the least.
There is really nothing that we can do to protect ourselves from spam links on Facebook except for being extra vigilant.
That’s the bad news.
The good news is that the awareness of cyber-attacks and popularity of cybersecurity is increasing at a global pace equal to the threats of cyber criminals. To the extent that people like Barak Tawily make it their duty to publicize new vulnerabilities. This is happening on the individual level as well as on the organizational level - as many cyber hubs are forming where online communities team up and test code for vulnerabilities.
If more and more people are encouraged to follow his example we will live in a safer world, or at the very least large corporations that we use to post will be forced to get their act together and let us post in peace.