Chameleon Attack Manipulates Your ‘Likes’ On Social Media

Researches from Ben-Gurion University of the Negev (BGU), Israel, have discovered a new cyber attack threatening social media platforms. The attack dubbed ‘Chameleon’ may allow changing the content you liked or posts you commented on without notice. Successful exploitation would leave people wondering when did they like a particular post, image, or video.

As stated by the researchers in their paper,

The major OSNs (Facebook, Twitter, and LinkedIn) allow publishing redirect links, and they support link preview updates. This allows changing the way a post is displayed without any indication that the target content of the URLs has been changed.

The attack works not because of a security vulnerability, rather because of a design flaw. Mentioning the possible impacts of a Chameleon attack, the researches stated:

Using this technique, adversaries can, for example, avoid censorship by concealing true content when it is about to be inspected; acquire social capital to promote new content while piggybacking a trending one; cause embarrassment and serious reputation damage by tricking a victim to like, retweet, or comment a message that he wouldn’t normally do without any indication for the trickery within the OSN.

The researchers have presented a detailed exploit with all technicalities in a research paper. The following video demonstrates the attack scenario. You can also test it yourself via the Facebook experiment set up by the researchers.

Keep An Eye On The Content You Like

For now, there isn’t any fool-proof strategy to mitigate this attack. So, users on LinkedIn, Facebook, Twitter, should remain cautious.

While WhatsApp and Instagram largely remain safe from Chameleon attacks, Reddit and Flickr are somewhat susceptible.

Though, for now, despite sharing details on GitHub, the researchers haven’t shared the source code to prevent misuse.

Let us know your thoughts in the comments.

Reference: Source link

Sr. SDET M Mehedi Zaman

Currently working as Sr. SDET at Robi Axiata Limited, a subsidiary of Axiata Group. As a Senior SDET: - Played a key role in introducing Agile Scrum methodology and implementing CI/CD pipeline to ensure quality & timely delivery. - Trained colleagues on emerging technologies, e.g. Apache Spark, Big Data, Hadoop, Internet of Things, Cloud Computing, AR, Video Streaming Services Technology, Blockchain, Data Science- Developed a test automation framework for Android and iOS apps - Developed an e2e web automation framework with Pytest - Performed penetration testing of enterprise solutions to ensure security and high availability using Kali, Burp Suite etc. - Learned Gauntlet security testing automation framework and shared the lesson learned in a knowledge sharing session

Leave a Reply

Your email address will not be published. Required fields are marked *