Critical Facebook flaw puts users at risk of phishing attacks

Phishing emails are dangerous and annoying. Cybercriminals flood our inboxes with them, hoping to catch us off guard so that we’ll click on their malicious links. Take our phishing IQ test to see if you can spot a fake email.

However, phishing attacks are not limited to email. Scammers have other ways to get you to click, especially on social media.

Have you ever noticed that when you click on a link on Facebook, the link opens in a new window? In theory, this practice can be good for both the social media site and its user. Facebook doesn’t want you to leave, so it stays open on your current tab and you probably don’t want to lose your place in the news feed. Win, win.

Unfortunately, this convenience comes with a critical security flaw on certain social media sites.

Once you click on a link that automatically opens in a new window, the new window has a small amount of access to the source page. Even though that access is limited, it is enough for a different website to be loaded in the original window.

What to look for
Here is a scenario that you need to watch out for. You’re logged into Facebook and click on a link that opens in a new window. Once you’re finished looking at the new page, you go back to the original window and you see a message. The site says that you have been logged out.

No big deal you think. You will be asked to log back in and once you do, you’ve been phished. The site that you just logged into is a malicious site.

Developer Ben Halpern identified a flaw in code on Facebook and Twitter that could allow this phishing attack. Both of these sites have the target=”_blank” attribute inserted into their hyperlink code. This is causing the vulnerability.

Facebook says it uses rate-limiting, which is designed to keep hackers from spreading a massive phishing attack. It also keeps track of suspicious activity to try and stop such attacks. But you need to be careful. These scammers are out to get you.

Instead of clicking links on social media sites, type the other site’s address into your browser. Also, avoid clicking on links inside comments put up by other users.

Of course, to keep your gadgets protected from digital threats you need to be on your toes and have strong security software that is constantly updated for the latest threats.

Free software just does not offer the proper protection anymore. Years ago, when the threats were not as pervasive and cunning as they are now, the free software pretty much worked.

Times have changed. Scammers have gotten trickier. Criminals are in it for the money, not the fun anymore.

For ultimate security for all your devices, we recommend Kaspersky Total Security. This complete package will protect up to five devices, including PCs, Macs, iPhones, iPads, and Android gadgets, from malware infections and attacks, spam and dangerous websites.


Leave a Reply