Researches from Ben-Gurion University of the Negev (BGU), Israel, have discovered a new cyber attack threatening social media platforms. The attack dubbed ‘Chameleon’ may allow changing the content you liked or posts you commented on without notice. Successful exploitation would leave people wondering when did they like a particular post, image, or video.
As stated by the researchers in their paper,
The major OSNs (Facebook, Twitter, and LinkedIn) allow publishing redirect links, and they support link preview updates. This allows changing the way a post is displayed without any indication that the target content of the URLs has been changed.
The attack works not because of a security vulnerability, rather because of a design flaw. Mentioning the possible impacts of a Chameleon attack, the researches stated:
Using this technique, adversaries can, for example, avoid censorship by concealing true content when it is about to be inspected; acquire social capital to promote new content while piggybacking a trending one; cause embarrassment and serious reputation damage by tricking a victim to like, retweet, or comment a message that he wouldn’t normally do without any indication for the trickery within the OSN.
The researchers have presented a detailed exploit with all technicalities in a research paper. The following video demonstrates the attack scenario. You can also test it yourself via the Facebook experiment set up by the researchers.
Keep An Eye On The Content You Like
For now, there isn’t any fool-proof strategy to mitigate this attack. So, users on LinkedIn, Facebook, Twitter, should remain cautious.
While WhatsApp and Instagram largely remain safe from Chameleon attacks, Reddit and Flickr are somewhat susceptible.
Though, for now, despite sharing details on GitHub, the researchers haven’t shared the source code to prevent misuse.
Let us know your thoughts in the comments.