Facebook Bug Bounty: Clickjacking
10:14 AMNote: this is actually a guest post from a friend, Sahad Nk with his recently patched Facebook Clickjacking bug.
According to OWASP:
We frame a certain website A within an Iframe and using stylesheets, we made it invisible/hidden (when it exists in the background) and reconstruct another site before it. So while you click something on the attacker controlled site, I can actually make you click a button in the framed website.The Exploit:
The exploit is really simple and effective; Facebook defends click-jacking in 2 ways. One is an alternative to the other. They also use a technique called Frame-busting (using javascript to deny framing request). On interfaces which don't have a JS support it is sending XFO, not as aHTTP header, but in a meta tag by putting it in a <noscript> tag
<noscript><meta http-equiv="X-Frame-Options" content="deny"> </noscript>
Meta-tags that attempt to apply the X-Frame-Options directive DO NOT WORK in all browsers. For example, <meta http-equiv="X-Frame-Options" content="deny">) will not work. You must apply the X-FRAME-OPTIONS directive as an actual HTTP Response Header. The main point here is browsers ignore what is given in meta tag and do not defend framing, (tested in Firefox 35) but Facebook has an additional JS based frame busting.
On interfaces which require JS support, it is possible to bypass JS frame-busting by putting a sandbox in the iframe like:
<iframe id="clickjacking" src="https://iphone.facebook.com/dialog/feed?app_id[APP ID]&picture=http://example.com/example.JPG&name=Test&description=This%20is%20a%20test&redirect_uri=http://example.com/" width="500" height="500" scrolling="no" frameborder="none" sandbox="allow-forms"> </iframe>
Simple as that, it was possible to iframe Facebook and make you do many undesirable amount of things. Here is a video demonstrating the seriousness of how this exploit might have been abused:
Reported - March 20
Clarification - March 21
Fix & Bounty - March 24
thanks,
Sahad Nk
14 comments
nice
ReplyDeleteThank you for giving this type of nice article.I am very glad to inform you that it is very understand everything that you said.Really i wish to thank you.It is about deadly thesis and you cover everything that related information.It is nice post with understanding a lot.best essay writing service is the better service that provides detailed and effective information related to educational basis.
ReplyDeleteI enjoy reading a post that can make people think. Also, thank you for allowing for me to comment!
ReplyDeleteShalimar Bagh Hot Escorts
This is great, you are good, i like your post and i still waiting our next post
ReplyDeleteDelhi Escort
Mahipalpur Escorts
Call Girls in South Ex
Escorts in Lajpat Nagar
Escorts in Friends Colony
Escorts in Greater Kailash
Hi,Very sensible, your article to take a gander at this is thought. I am particularly captivating this article. I like it. I am forward to another article with you. thankful to you. Anshita Escorts in Gurgaon
ReplyDeletethis is actually a guest post from a friend, Sahad Nk with his recently patched Facebook Clickjacking bug. The exploit was really interesting so I really hope you enjoy it. find out best shirts and t-shirts with wide variety of famous brands in cheap rates at Buy Online In Pakistan
ReplyDeleteSimple as that, it was possible to iframe Facebook and make you do undesirable amount of things. IT experts, it solutions, IT Experts Agency, Technical Support & IT Solutions, NOC, network monitoring, SEO, PPC, Google Adwords, Graphic Designing IT Experts Agency
ReplyDeleteWe frame a certain website A within an Iframe and using stylesheets, we made it invisible/hidden (when it exists in the background) and reconstruct another site before it. islamic books
ReplyDeletegood
ReplyDeleteEscort Service in Delhi.The best escort service provider in Delhi . We provide High Profile Escort Service in Delhi 24/7.
ReplyDeleteDelhi Escorts Service
http://www.delhihotservices.com
the escorts in Delhi are really breathtaking companions for you. They gauge from every angle and hug and love you accordingly. While having interaction with them, do not hide anything from them. Let them know what you like and what you do not like. Even if you are novice, you will be provided guidance by them.
ReplyDeleteDelhi escort services
This comment has been removed by the author.
ReplyDeleteCall now to book your dream date with one of the gorgeous Female Delhi Escorts.
ReplyDeletehttp://ashikapratt.co.in
Thanks....when i over read this blog ,too much batter
ReplyDeletel like your blog ,thanks for sharing this to us
High profile Escort in Delhi
Note: Only a member of this blog may post a comment.