Zscaler releases free tool to prevent Facebook 'Likejacking'
Zscaler releases free tool to prevent Facebook 'Likejacking'

Zscaler has developed a free tool to protect Facebook users from ‘Likejacking' threats and scams.

The tool protects users against hidden Facebook widgets on third-party web pages by making explicit confirmation of use required when clicking on suspicious items.

Likejacking occurs when users are encouraged to view a video online by completing surveys and surrendering personal information. When they have completed these, a link appears on the user's Facebook profile page encouraging others to ‘Like' the application.

When the tool is installed on a browser, an icon is displayed in the URL when a page contains at least one Facebook widget. A red icon is displayed if a page is suspicious, and a green icon if the page is safe. A pop-up in Chrome, and a toolbar in Safari and Firefox, prompts users take action on the page.

In preferences, users can choose for all Facebook widgets to be deleted if they never use the ‘Like' button, to always be asked for explicit confirmation, or to be asked for explicit confirmation only on suspicious pages with hidden widgets. Users can also whitelist domains so that protections are not applied to given sites.

Julien Sobrier, senior researcher at Zscaler ThreatLabZ, said the tool does not affect the ability to use the main Facebook site; it simply protects users on other sites featuring widgets from Facebook.

He said: “Our findings are consistent with other security researchers, who estimate that approximately 15 per cent of Facebook videos alone are, in fact, Likejacking attacks. In 2010, for example, hundreds of thousands of Facebook users fell victim to a single scheme.

“Attackers are constantly developing and engineering new tactics and, unfortunately, traditional security products often lack the kind of protection users need to defend themselves. As Web 2.0 sites increase their use of social plug-ins such as the Facebook Like button, attackers are shifting to malicious clickjacking techniques, which are not being detected by browsers.”