New Facebook clickjacking attack in the wild. I’m not sure why Facebook don’t use frame-busting JavaScript to avoid this kind of thing. The attack is pretty crafty—a Facebook page is positioned with everything obscured bar part of the blue “share this” button, and a fake “Human Test” asks the user to find and click the blue button to continue.
Sign in with 
OpenID
I agree that Facebook should do more to prevent this. They're lucky it's such an unconvincing attack; I bet it won't be very widespread.
Here's the attack uncovered for anyone who wants to take a peek (just don't click share):
http://j.mp/fbclickjacking
The view count for this YouTube video is probably the best indicator of the attack's spread:
http://www.youtube.com/watch?v=abal5F862ss
This is actually the second widespread clickjacking attack against Facebook; the first one was even more subtle.
I once put together a list of Facebook activities that could be executed via clickjacking: http://theharmonyguy.com/2009/10/14/the-dangers-of -clickjacking-with-facebook/
Given the range of possibilities, I'm also surprised Facebook doesn't offer any kind of clickjacking prevention.
theharmonyguy - 23rd December 2009 01:49 - #