Security Risks: The Dangers of Clickjacking with Facebook

Quotable

"It is better to deserve honors and not have them than to have them and not to deserve them."
-Mark Twain

"It is better to fail in originality than to succeed in imitation."
-Herman Melville

"Jake: Ma'am, would it make you feel any better if we told you that what we're asking Matthew to do is a holy thing? Elwood: You see, we're on a mission from G-d."
-The Blues Brothers

"You might know who we are, but we KNOW who you are, you understand?"
-Jimmy (Goodfellas)

"Do not follow where the path may lead. Go, instead, where there is no path a nd leave a trail."
-Ralph Waldo Emerson

"It is better to be hated for what you are than to be loved for something you are not."
-André Gide

"Science without religion is lame. Religion without science is blind."
-Einstein

"The entire purpose of our existence is to overcome our negative habits."
- Vilna Goan

"if we were forced to choose just one, there would be no way to deny that Judaism is the most important intellectual development in human history."
- David Gelernter

"Because of the movies I make, people get nervous, because they think of me as difficult and angry. I am difficult and angry, but they don't expect a sense of humor. And the only thing that gets me through is a sense of humor.....It's a very savage kind of humor, it comes out of a great deal of pain."
-Martin Scorsese

"The only thing that interferes with my learning is my education."
-Einstein

"If all anti-Semitism could be made, by magic, to disappear, the American Jew would still face a problem of survival. The disease of assimilation and alienation of Jewish youth from its heritage and people is often spoken about, but its full gravity and danger are not comprehended by most of us. We face the problem of young Jews by the hundreds whose lack of Jewish identity and pride and whose Jewish rootlessness combine to drive them into foreign fields and hostile ideologies....At the same time, in Israel, the ironic growth of a similar Jewish identity crisis has arisen to plague the state with young Jews who identify with the state but not the Jewish people and whose alienation from Jewish heritage and tradition has now been joined by weakening of ties with their fellow Jews in exile."
-Rabbi Meir Kahane

"Jewish survival and redemption are proof eternal and ultimate that the world is not governed by logic, by sanity or by man. It is controlled and decreed by G-d."
-Rabbi Meir Kahane

"Keep away from those who try to belittle your ambitions. Small people always do that, but the really great make you believe that you too can become great."
-Mark Twain

"The only real laughter comes from despair."
-Groucho Marx

"The Jew who makes his body bend to his will is a man who has no chains on his arms. The Jew who hears the cry of fellow Jews and casts off from himself the vanities and nonsense of money and sterile status ... and leaps into the waters of duty – this is a man who has come out of Egypt."
-Rabbi Meir Kahane

"Coincidence is God's way of remaining anonymous."
-Einstein

"If a Jew doesn't make Kiddush (to sanctify himself by maintaining a distinctly Jewish lifestyle), then the non-Jew will make Havdalah for him (by making the Jew realize he is truly different)."
- R' Chaim of Volozhin

"What is the Jew?...What kind of unique creature is this whom all the rulers of all the nations of the world have disgraced and crushed and expelled and destroyed; persecuted, burned and drowned, and who, despite their anger and their fury, continues to live and to flourish. What is this Jew whom they have never succeeded in enticing with all the enticements in the world, whose oppressors and persecutors only suggested that he deny (and disown) his religion and cast aside the faithfulness of his ancestors?! The Jew - is the symbol of eternity. ... He is the one who for so long had guarded the prophetic message and transmitted it to all mankind. A people such as this can never disappear. The Jew is eternal. He is the embodiment of eternity."
- Leo Tolstoy

"It is certain that the Jew, if he desired-or if they were driven to it, as the antisemites seem to wish-could now have the ascendancy, nay, literally the supremacy, over Europe; that they are not working or planning for that end is equally sure... The resourcefulness of the modern Jews, both in mind and soul, is extraordinary..."
-Nietzsche

"One of the great problems with Americans is that - being a decent people - they assume that everyone else is equally decent."
-Rabbi Meir Kahane

"It's discourging to think how many people are shocked by honesty and how few by deceit."
-Sir Noël Coward

"For so long as the Jew has even one ally, he will be convinced - in his smallness of mind - that his salvation came from that ally. It is only when he is alone - against all of his own efforts and frantic attempts - that he will, through no choice, be compelled to turn to G-d."
-Rabbi Meir Kahane

"It's my experience that folks who have no vices have generally very few virtues."
-Abe Lincoln (unsourced)

"Love has its place, as does hate. Peace has its place, as does war. Mercy has its place, as do cruelty and revenge....Never, ever deal with terrorists. Hunt them down and, more important, mercilessly punish those states and groups that fund, arm, support, or simply allow their territories to be used by the terrorists with impunity.....No trait is more justified than revenge in the right time and place."
-Rabbi Meir Kahane Zt'l

Security Risks: The Dangers of Clickjacking with Facebook

Clickjacking is a difficult problem.....several researchers speculated on the ramifications for other sites, such as Facebook.

...Authorizing a Facebook application requires only a single click....All of the following actions can be mistakenly performed by a user simply clicking a link or button on an innocent-looking page via clickjacking:

Authorize a malicious application. This can happen regardless of any privacy settings. On authorization, an application can immediately access your profile information, your photos, your posted links, your notes, your status updates, etc. It can also send notifications to your profile, send notifications to other people (anonymously or from you), and post feed stories to your wall, all with links included. Note that under default privacy settings, an application can access most of your data if a friend of yours falls prey to this type of attack.

Authorize a legitimate application with a cross-site scripting exploit. Most applications vulnerable to such an attack allow for clickjacking installs, where a single click authorizes the application and then forwards a user to an infected application page. That landing page can then execute any of the actions listed above for a malicious application. Note that if a friend falls for this attack and you have authorized the application, all of your data is vulnerable as well.

Post a link to your profile. This is possible by applying clickjacking to several Facebook pages used for sharing content. A custom title and description can be set for the link. Other content, such as a Flash video, can also be posted this way.

Publish a feed story from a malicious application. Note that this can work regardless of whether you have authorized the application. Applications may publish feed stories prior without authorization by a single click, though this does not grant them access to a user’s data. The feed story may include images, descriptive text, and links. The application can also pre-populate the user’s comments on the story, which would then be submitted upon execution of the clickjacking attack.

Send a message to another user. The recipient, subject, and message content, including links, can all be pre-populated. This no longer gives the recipient more access to data than usual, but could still be easily used to spread malware.

Send a friend request to another user. This means that a victim could unknowingly send a friend request to a malicious attacker’s profile, and the attacker would simply need to approve the request to gain access to everything on a user’s profile that their friends can access by default.

Harvest a user’s post_form_id. Those familiar with Facebook’s code will realize how serious this issue is. However, exploiting a post_form_id also requires knowing a user’s Facebook ID, and so far this attack does not provide the latter.

This list is not simply theoretical – I did some simple testing to make sure that each of these attacks worked. I also would not pretend that my list is exhaustive, and I would welcome any additions from other researchers.

I hope this list will help raise awareness of the potential dangers of clickjacking.

Read the full article from Social Hacking here

See also:

JOIN US

LEGAL:

The views expressed on this website do not necessarily reflect the views of the JIDF. The content is not intended to malign any religion, ethnic group, club, organization, company or individual. This site's intention is to do no harm, to not injure others, defame, or libel. All data and information provided on this site is for informational, educational, and/or entertainment purposes only. The Jewish Internet Defense Force (JIDF) makes no representations as to accuracy, currentness, correctness, suitability, or validity of any information on this site and will not be liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use, or access to this site. We are not responsible for translation or interpretation of content. We are not responsible for defamatory statements bound to government, religious or other laws from the reader’s country of origin. All information is provided on an as-is basis with no warranties, and confers no rights. We are not responsible for the actions, content, accuracy, opinions expressed, privacy policies, products or services or for any damages or losses, directly or indirectly, caused or alleged to have been caused as a result of your use or reliance on such information on the Jewish Internet Defense Force site. This site includes links to other sites and blogs operated by third parties. These links are provided as a convenience to you and as an additional avenue of access to the information contained therein. We have not reviewed all of the information on other sites and are not responsible for the content of any other sites or any products or services that may be offered through other sites. The inclusion of these links in no way indicates their endorsement, support or approval of the contents of this site or the policies or positions of the JIDF. We have the right to edit, remove or deny access to content that is determined to be, in our sole discretion, unacceptable. These Terms and Conditions of Use apply to you when you view, access or otherwise use this blog and the Website. The JIDF is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com.

JIDF in the Media

Since going public with our activities in May 2008, we have received a steady stream of international media coverage and attention. To view some of the press about us, scroll down and click the headlines:

Exposing Antisemitism & Terrorism 2.0

JIDF shuts them down! - Combating hate and terror online
Jewish Herald Voice
December 21, 2009

The Rise and Fall of a Facebook Hate Group
First Monday
November 3, 2008

Hatred & Antisemtism Online
Jewish News Agency - Argentina
September 4, 2008

Facebook und Google Earth: Antisemitismus im Web 2.0
FAZ (German)
October 14, 2008

Facebook and Google Earth: Antisemitism in Web 2.0
FAZ (English Translation)
October 14, 2008

Еврейские силы интернет-обороны" атаковали антисемитское сообщество в Facebook
Russian News
August 1, 2008

Anti-Israel Facebook Groups Infiltrated
Canadian Jewish News
August 7, 2008

Israel - Facebook: "Anti-Semitic" group hijacked by Jewish Force
The Coordination Forum for Countering Antisemitism
July 31, 2008

Anti-Semitic group hijacked by Jewish Force
Telegraph UK
July 31, 2008

Fighting back on Facebook
HonestReporting
July 31, 2008

Facebook Smackdown By the Numbers
HonestReporting
July 30, 2008

Jewish Internet Defense Force 'seizes control' of anti-Israel Facebook group
Jerusalem Post
July 29, 2008

Jewish Activists Hack Anti-Semitic Facebook Group
Israel National News
July 27, 2008

Jewish Activist Battles for Israel on Facebook
Israel National News
April 3, 2008

Facebook allows hate sites, ignores warnings, says group
BreakingNews.com
December 16, 2008

Solidarity with Israel:

The Arab-Israeli conflict 2.0
5 Towns Jewish Times
December 11, 2009

Blogs, YouTube: the new battleground of Gaza conflict
CS Monitor
January 23, 2009

Gaza crisis spills onto the web
BBC
January 14, 2009

NYT Journalist: Israelis dislike Obama due to Racism
Israel National News
April 17, 2010

NIF Staffer Accuses Israel Of State Terrorism
Five Towns Jewish Times
April 17, 2010

Internet Forces Watching Israel’s Back in Gaza, Global anti-Israel Protests
Chesler Chronicles
December 29, 2008

An online battle for Israel's legitimacy
Ha'aretz
November 16, 2008

Twitter, Facebook users show solidarity with QassamCount
Jerusalem Post
January 4, 2009

Gaza Wars — On Facebook
Jewish Week
December 30, 2008

Against Holocaust Denial:

Facebook, Holocaust Denial, and Anti-Semitism 2.0 (report)
Jerusalem Center for Public Affairs
September 15, 2009

The rise of Hate 2.0
BBC
June 22, 2009

Call for hate groups to be taken offline
The National (UAE)
June 14, 2009

Facebook Refuses to Ban All Holocaust Denial Groups
Australian Jewish News
May 19, 2009

Is Facebook Changing its Tune on Holocaust Deniers?
CS Monitor
May 11, 2009

Twitter Campaign for Gilad Shalit:

"Tweet4Shalit" Campaign Reaches #2 Spot on Twitter
Jerusalem Post
August 27, 2009

Happy Birthday for Gilad Shalit?
Israel National News
August 7, 2009

WEB EXCLUSIVE: Tweeting For Shalit
Jewish Week
August 26, 2009

Against "Hate Israel" groups on Facebook:

'Facebook doesn't bar hate content against Jews'
Jerusalem Post
August 27, 2009

Facebook ignores calls to close 'Hate Israel' group
Jerusalem Post
April 22, 2009

Facebook Groups Promoting Hatred of Israel
Jewish News Agency, Argentina
May 9, 2009

Jewish anti-racist activists fight uphill battle with Facebook
Jerusalem Post
May 7, 2009

Against Nasrallah on Facebook

Social media users successfully face down Nasrallah on Facebook
Jerusalem Post
July 29, 2009

Facebook Singling Out Founder of JIDF

Facebook takes down activist who fights antisemitism, terror
Jewish Tribune
October 6, 2009

Internet Activist No Friend of Facebook
New York Jewish Week
September 30, 2009

General

100 Most Influential Jewish Twitterers (JIDF Ranked #1 Jewish NewsWire on Twitter)
JTA
May 1st, 2009

Digital World: Community Organizing 2.0
Jerusalem Post
May 12, 2009

Academic Reports

Facebook, Holocaust Denial, and Anti-Semitism 2.0
Post-Holocaust and Anti-Semitism Series, No. 86, JCPA
15 September 2009

KEEP THE FIGHT ALIVE

SHOP JIDF!

Quotable

Quote of the Moment

Categories

Archive

Security Risks: The Dangers of Clickjacking with Facebook

JOIN US

JIDF in the Media

SHOW JIDF PRIDE!

NEVER FORGET