Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Clickjacking attacks on Facebook's Like plugin - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Clickjacking attacks on Facebook's Like plugin

In last couple of days there has been an outbreak of clickjacking attacks on Facebook's "Like" plugin. For those unfamiliar with Facebook, this plugin allows users to mark certain pages as interesting, and subsequently in their profile a statement will appear that they "like" certain content.

Since we received a lot of e-mails from our readers about these attacks (and certainly some media covered variants of them), I decided to analyze one which is still up and working as I found it pretty interesting.

The main idea of this attack is to get a user to click on a hidden link while the user thinks he is actually clicking on something else – this is the basis for clickjacking attacks. So, let's see how it's done in Facebook's example.

The main malicious web page tries to entice the user to click on it to see the rest of the so called "best passport application rejection in history". The web page just contains a single JPG image and you can see below what it looks like:

Site that exploits clickjacking

Now, what happens behind the scenes is pretty interesting. The HTML source contains two obfuscated JavaScript elements and an iframe that do all the work.

Let's first see what the iframe does:

Iframe

The div tag sets this iframe completely invisible (and the attacker makes sure that this works in every browser by using all the possible opacity combinations). Then the iframe points to the Like plugin at Facebook, and sets the href parameter to the target web site (the credittreport.info site).

This is what shows in the iframe:

Facebook Like button

Yes, there are 15,687 people "infected" with this.
Now comes the interesting part – how to make the user click on this, relatively small icon. The second obfuscated JavaScript element tells the rest of the story:

Deobfuscated JavaScript code

Let's analyze this JavaScript code. In line 2 they get the "icontainer" element – this element holds the iframe, you can see in the iframe code above that the div tag uses the id "icontainer". The standardbody object will contain the document body. Now, let's skip to line 21 – this line defines a handler for mouse movement. So, every time the mouse is moved, this function, starting with line 22 is called. The function checks if the iflag variable is 0 (and it is, until the user clicks on the hidden element). If the variable is 0, the mouse movement handler will call the mouseFollower() function. And this is the main trick – the mouseFollower() function actually moves the iframe to follow the mouse! So the attackers made sure that no matter where you click on the web page, you will land on the hidden Facebook button and "infect" yourself by posting a message on your profile saying that you like this malicious site. When a friend of yours click on that link, he/she will be taken to this web page again and no matter where they click, they will end up doing the same! If you close the window, nothing will happen.

Attacks such as this one have become increasingly popular lately, so be careful what you click on, no matter if it's in Facebook or not. If you are a  Facebook user, be especially careful of all links, especially those that require you to click on something else to see the real content.

While this isn't really a vulnerability in Facebook, it does appear that their team will have to step up and implement some controls to prevent clickjacking attacks such as this one.

-- Bojan
INFIGO IS

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler
Is the bad javascript coming from facebook.com or FBCDN.com? Just wondering if "Noscript" will block this if we have only whitelisted Facebook.com or perhaps facebook.com and also FBCDN.com? If the javascript is from an "external" site will Noscript protect us? Or is the bad javascript coming from Facebook itself?
Anonymous
Roseman, the bad JavaScript comes from the "bad" site hosting the fake image, so NoScript should protect from this. I actually wanted to add that into the diary but somehow forgot :)
Bojan

376 Posts
ISC Handler
Just to make things clearer, NoScript will protect you against Clickjacking attacks no matter whether the two sites involved are or not whitelisted, because the ClearClick feature (which is the only effective client-side protection so far against Clickjacking) works independently from scripting permissions.

http://noscript.net/faq#clearclick
Bojan
4 Posts
The 'like' button could have been designed to use a simple GET hyperlink to a URI such as http://facebook.com/like?uri=http://example.com/, at which there could be a confirmation page including a POSTed HTML form with a nonce/token field to prevent XSRF.

But then that involves a whole extra mouseclick so doesn't qualify as being 2.0-sleek. Much rather require that sites use IFRAMEs despite them being deprecated for 10 years now I think. This way, third-party web pages have the pleasure of loading whatever bloat from Facebook. If browsers send an HTTP Referer header when loading the IFRAME, Facebook get the extra bonus of being able to track people's browsing activities to any site that shows one of these buttons, whether they're logged in, a registered member, or not.
Steven C.

171 Posts
“Get to know the hackers—or plan on getting hacked. Someone has created a savvy, essentials-based approach to web app security packed with immediately applicable tools for any information security practitioner sharpening his or her tools or just starting out.”

Sajmir Mikli
Computer Engineer
http://beder.edu.al
http://kindvideos.com
Steven C.
1 Posts

Sign Up for Free or Log In to start participating in the conversation!