Oct. 14, 2009

Posted by in Facebook | 1 comment

The Dangers of Clickjacking with Facebook

Clickjacking is an admittedly difficult problem to solve entirely, though I question why invisible iframes are necessary. Still, a few techniques to combat the attack exist, such as frame-busting scripts. Twitter implemented this approach after a proof-of-concept attack circulated earlier this year, at the time, several researchers speculated on the ramifications for other sites, such as Facebook.

I’ve noted previously that authorizing a Facebook application requires only a single click, even if you’ve exempted your profile from the Facebook Platform. After noticing another possible clickjacking attack vector, I began compiling a list of single-click actions that should give any Facebook user pause. All of the following actions can be mistakenly performed by a user simply clicking a link or button on an innocent-looking page via clickjacking:

  • Authorize a malicious application. This can happen regardless of any privacy settings. On authorization, an application can immediately access your profile information, your photos, your posted links, your notes, your status updates, etc. It can also send notifications to your profile, send notifications to other people (anonymously or from you), and post feed stories to your wall, all with links included. Note that under default privacy settings, an application can access most of your data if a friend of yours falls prey to this type of attack.
  • Authorize a legitimate application with a cross-site scripting exploit. Most applications vulnerable to such an attack allow for clickjacking installs, where a single click authorizes the application and then forwards a user to an infected application page. That landing page can then execute any of the actions listed above for a malicious application. Note that if a friend falls for this attack and you have authorized the application, all of your data is vulnerable as well.
  • Post a link to your profile. This is possible by applying clickjacking to several Facebook pages used for sharing content. A custom title and description can be set for the link. Other content, such as a Flash video, can also be posted this way.
  • Publish a feed story from a malicious application. Note that this can work regardless of whether you have authorized the application. Applications may publish feed stories prior without authorization by a single click, though this does not grant them access to a user’s data. The feed story may include images, descriptive text, and links. The application can also pre-populate the user’s comments on the story, which would then be submitted upon execution of the clickjacking attack.
  • Send a message to another user. The recipient, subject, and message content, including links, can all be pre-populated. This no longer gives the recipient more access to data than usual, but could still be easily used to spread malware.
  • Send a friend request to another user. This means that a victim could unknowingly send a friend request to a malicious attacker’s profile, and the attacker would simply need to approve the request to gain access to everything on a user’s profile that their friends can access by default.
  • Harvest a user’s post_form_id. Those familiar with Facebook’s code will realize how serious this issue is. However, exploiting a post_form_id also requires knowing a user’s Facebook ID, and so far this attack does not provide the latter.

This list is not simply theoretical – I did some simple testing to make sure that each of these attacks worked. I also would not pretend that my list is exhaustive, and I would welcome any additions from other researchers.

Most of these are already known or fairly trivial to figure out. I am not aware of anyone reporting my method for the last attack, however, and I will be reporting the details of it to Facebook, as I believe it involves a code issue that can be patched apart from any clickjacking protection. Update: Facebook pushed a fix last night which I’ve confirmed. The hole came from a dialog page that one could load via a POST request. Outside its normal context, clicking the submit button on the page would forward a user back to the referring page but with the post_form_id appended.

I hope this list will help raise awareness of the potential dangers of clickjacking. Creating a Facebook version of Twitter’s “don’t click” worm would be fairly simple, and as this list indicates, one could do far more than simply post a link in the process.

  1. Thank you ever so for you article.Really thank you! Want more.

Trackbacks/Pingbacks

  1. Tweets that mention The Dangers of Clickjacking with Facebook | Social Hacking -- Topsy.com - [...] This post was mentioned on Twitter by theharmonyguy, SocialMediaSecurity. SocialMediaSecurity said: The Dangers of Clickjacking with Facebook http://bit.ly/ZwCAa [...]
  2. Facebook Worm Uses Clickjacking in the Wild | Social Hacking - [...] perhaps worth noting that the possibility of such a worm has been pointed out before, including on this blog: ...
  3. Tech Thursday – a list of links to check once or twice… | Techno Portal - [...] is still a very much alive security threat as The Dangers of Clickjacking with Facebook [...]
  4. Social Media Security » Facebook Worm Uses Clickjacking in the Wild - [...] perhaps worth noting that the possibility of such a worm has been pointed out before, including on this blog: ...
  5. » Facebook Can Be Clickjacked Tech Giraffe - [...] clickjacking threats on Facebook. A self-proclaimed white hat hacker who goes by the name “theharmonyguy” wrote about it on ...
  6. Researchers: Facebook vulnerable to clickjacking - [...] clickjacking threats on Facebook. A self-proclaimed white hat hacker who goes by the name “theharmonyguy” wrote about it on ...
  7. More Recent Security Problems with the Facebook Platform | Social Hacking - [...] Facebook pages in iframes and they would not have clickjacking protection enabled. This would allow previously described clickjacking attacks ...
  8. Der Angriff der Clickjacking-Würmer, "Likejacking" und "Buttonjacking" - Dipl.-Inform. Carsten Eilers - [...] Oktober 2009 warnte 'theharmonyguy' vor den Gefahren eines Clickjacking-Angriffs auf Facebook. 'theharmonyguy' hatte im [...]

Leave a Reply