Social media widget jacking

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Tuesday February 12, 2013 at 9:00am

It is a constant battle of cat and mouse to stay safe and secure online. Most users are now aware of the dangers but there’s yet another security issue for us all to worry about. Anyone who roams with their laptop, uses hotspots or guest wireless networks needs to read the following.

A while ago there was a Firefox (3rd party internet browser) extension that could easily hijack a strangers’ Facebook account sharing the same WiFi network, like a hotspot or guest wireless network. To quote Wiki: “Firesheep is an extension for the Firefox web browser that uses a packet sniffer to intercept unencrypted cookies from websites such as Facebook and Twitter. As cookies are transmitted over networks, packet sniffing is used to discover identities on a sidebar displayed in the browser, and allows the user to instantly take on the log-in credentials of the user by double-clicking on the victim's name.”

In essence it meant that someone could access your account and start using Facebook as if they were you!

A lot of Facebook accounts were indeed compromised. Facebook then responded by tightening the security settings and offered an option under Account Security for SSL (as discussed in Website security: our tips for staying safe). At the time of writing this is still optional, so I would assume that most accounts still don’t have this security feature enabled.

“Widget jacking” is a logical evolution of hijacked Facebook accounts. Facebook have no control of the code behind other websites that embed “Likes” links. Those links are embedded lines of code called Widgets. Those widgets have never been secured with SSL, making users vulnerable once again to potential hijacking over the airwaves. This weakness is there for all social media widgets used within Twitter, Pinterest and Youtube, so do take care.

With the continued growth of smartphones, tablets and the increase of users working in public areas, everybody needs to be aware of the associated security risks of working in public places using public wireless access. And when it comes to social media it helps to be aware of the security loop-holes you might be exposed to.

I personally only ever click on “likes” within Facebook and only on my own friends’ pages. Again personally I disable any third party apps/sites access to my Facebook account.
I also never use my own Facebook account to login to other websites, as if my Facebook account was ever compromised then the hacker could gain access to numerous other sites. It may be convenience, but it certainly poses more of a risk using one account to login to multiple sites.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Comments:  
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here