Some Facebook users today saw a comment looking like this (new pix!):
Clicking on the comment that links to
redirects users to http://fb.59.to web page.
On this page they are given a fake Turing test that tricks them into clicking a "blue button" which is their clickjacked Facebook page positioned at adding a new comment ("Share" button). The whole web page looks like this (clickjacked area is marked green):
In page source we can see that there is a IFRAME element:
<iframe frameborder=0 scrolling=no height=25 width=100 src="2.php?u=http://fb.59.to/?...somehash...." ></iframe><span style=background-color:yellow;><font style=font-size:13 ; color=white>
The target URL (2.php) has another IFRAME which in turn has yet another one with the target page being
<div style="left:-90px;top:-386px;position:absolute;" <iframe height=400 width=250 src="http://www.facebook.com/sharer.php?u=http://fb.59.to/?hash" frameborder=0 scrolling=no> </iframe> </div>
Clicking on the button shares the malicious link on Facebook.
The page has a meta-redirect set up to a Youtube movie launching in 12 seconds so a users might get the impression that the movie launched because they successfully passed the Turing test.
Update: The attack does not work in IE and Opera only because of incorrect HTML used in one of the pages in this malicious site. Doing a simple fix in HTML makes both mentioned browsers also vulnerable to the attack.
Thanks go to Grzegorz Ciborowski and Pawel Czernikowski for detecting the attack.