A widespread clickjacking exploit that showed pictures of a nearly nude woman without asking the user for authorization had been blocked by Facebook administrators last Monday. The insidious bait-and-switch code was identified after a victimized user reported the image of a scantily clad lady on a friend's page that beckoned him to click the button by promising him "something hot".

Incidentally, the clickjacking susceptibility (which was first reported on this site via the article, "Clickjacking Design Flaw Possible Target of Hackers") is a design flaw that enables clickjackers to swindle users into clicking on a URL that they didn't intend to click in the first place. This security hole is made possible by overlaying a concealed iframe over a link or button. Nearly every website is vulnerable to this particular trick, and sites producing large amounts of UGC (user-generated content) in particular are the perfect launch pads for such cyber assaults.

The Facebook users who were ensnared by the trap and were also signed in at the time soon saw their profile pages modified to include the same digital photograph. As the number of people who got tricked by the ruse increased, the images spread even faster to other possible victims, which gave the clickjack malware a viral feature to it. The IT security researchers who first discerned the hoax ascribed it to a cross-site request forgery (otherwise known as CSRF) bug that presently ails the Facebook website.

However, the social network's spokesman vehemently challenged the assertion, stating that the attack was a result of a standalone clickjacking scam instead of a vulnerability exploit. Simon Axten, Facebook's official representative spokesman, vaguely insists in an email reply that the problem isn't an exclusive Facebook one (without citing any clickjacking exploit examples from other social networks), then goes on to assure that the site is always working very hard to enhance and improve their services, such that extra security measures will be implemented soon to stymie this type of malware menace.

Axten further lists the preventive measures and damage control that the Facebook administration has instituted following the discovery of the viral malware, which included fixing the "relatively few cases" where the erotic adware was posted (something that email providers couldn't do, he claimed) and blocking the web address associated with the entire clickjacking debacle.