Feb. 13, 2009

Posted by in Facebook, General | No comments

Don’t Click My Application

Chris Shiflett has a good write-up on the Twitter “Don’t Click” prank that spread this week.  Hopefully the incident will raise awareness of clickjacking.

In fact, combined with the Facebook Platform, such a prank could be more dangerous.  As Adrienne Felt pointed out long ago, Facebook applications gain access to a wealth of user data, regardless of need.  It would only take one hijacked click for a malicious application to log such information – without the user even realizing an interaction with Facebook occurred.

Fake image of a malicious application request.

I would add that several security/privacy controversies, such as Facebook Beacon and at least many clickjacking attacks, can be solved simply by disabling third-party cookies.  This obviously isn’t an end-all solution, as it can block useful functionality as well, but I’m surprised it isn’t mentioned more often as a good strategy for power users.


  1. Tweets that mention Don’t Click My Application | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by Jeremiah Grossman, theharmonyguy. theharmonyguy said: Glad others are noting Facebook clickjacking (http://bit.ly/6U0E96), ...
  2. uberVU - social comments - Social comments and analytics for this post... This post was mentioned on Twitter by theharmonyguy: Glad others are noting Facebook clickjacking ...

Leave a Reply