Security Risks: The Dangers of Clickjacking with Facebook

Clickjacking is a difficult problem.....several researchers speculated on the ramifications for other sites, such as Facebook.

...Authorizing a Facebook application requires only a single click....All of the following actions can be mistakenly performed by a user simply clicking a link or button on an innocent-looking page via clickjacking:
  • Authorize a malicious application. This can happen regardless of any privacy settings. On authorization, an application can immediately access your profile information, your photos, your posted links, your notes, your status updates, etc. It can also send notifications to your profile, send notifications to other people (anonymously or from you), and post feed stories to your wall, all with links included. Note that under default privacy settings, an application can access most of your data if a friend of yours falls prey to this type of attack.
  • Authorize a legitimate application with a cross-site scripting exploit. Most applications vulnerable to such an attack allow for clickjacking installs, where a single click authorizes the application and then forwards a user to an infected application page. That landing page can then execute any of the actions listed above for a malicious application. Note that if a friend falls for this attack and you have authorized the application, all of your data is vulnerable as well.
  • Post a link to your profile. This is possible by applying clickjacking to several Facebook pages used for sharing content. A custom title and description can be set for the link. Other content, such as a Flash video, can also be posted this way.
  • Publish a feed story from a malicious application. Note that this can work regardless of whether you have authorized the application. Applications may publish feed stories prior without authorization by a single click, though this does not grant them access to a user’s data. The feed story may include images, descriptive text, and links. The application can also pre-populate the user’s comments on the story, which would then be submitted upon execution of the clickjacking attack.
  • Send a message to another user. The recipient, subject, and message content, including links, can all be pre-populated. This no longer gives the recipient more access to data than usual, but could still be easily used to spread malware.
  • Send a friend request to another user. This means that a victim could unknowingly send a friend request to a malicious attacker’s profile, and the attacker would simply need to approve the request to gain access to everything on a user’s profile that their friends can access by default.
  • Harvest a user’s post_form_id. Those familiar with Facebook’s code will realize how serious this issue is. However, exploiting a post_form_id also requires knowing a user’s Facebook ID, and so far this attack does not provide the latter.
This list is not simply theoretical – I did some simple testing to make sure that each of these attacks worked. I also would not pretend that my list is exhaustive, and I would welcome any additions from other researchers.

I hope this list will help raise awareness of the potential dangers of clickjacking.
Read the full article from Social Hacking here

See also:

Copyright © Jewish Internet Defense Force
All Rights Reserved

The views expressed on this website do not necessarily reflect the views of the JIDF. The content is not intended to malign any religion, ethnic group, club, organization, company or individual. This site's intention is to do no harm, to not injure others, defame, or libel. All data and information provided on this site is for informational, educational, and/or entertainment purposes only. The Jewish Internet Defense Force (JIDF) makes no representations as to accuracy, currentness, correctness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use, or access to this site. We are not responsible for translation or interpretation of content. We are not responsible for defamatory statements bound to government, religious or other laws from the reader’s country of origin. All information is provided on an as-is basis with no warranties, and confers no rights. We are not responsible for the actions, content, accuracy, opinions expressed, privacy policies, products or services or for any damages or losses, directly or indirectly, caused or alleged to have been caused as a result of your use or reliance on such information on the Jewish Internet Defense Force site. This site includes links to other sites and blogs operated by third parties. These links are provided as a convenience to you and as an additional avenue of access to the information contained therein. We have not reviewed all of the information on other sites and are not responsible for the content of any other sites or any products or services that may be offered through other sites. The inclusion of these links in no way indicates their endorsement, support or approval of the contents of this site or the policies or positions of the JIDF. We have the right to edit, remove or deny access to content that is determined to be, in our sole discretion, unacceptable. These Terms and Conditions of Use apply to you when you view, access or otherwise use this blog and the Website. The JIDF is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to
Related Posts with Thumbnails