Simon Willison's Weblog: clickjacking

"Likejacking" Takes Off on Facebook

2010-06-03T10:01:00+00:00

The Facebook Like button is vulnerable to Clickjacking, and is being widely exploited. Since Likes show up in your Facebook stream, it’s an easy attack to make viral. The button is implemented on third party sites as an iframe, which would seem to me to be exploitable by design (just make the iframe transparent in the parent document and trick the user in to clicking in the right place). I can’t think of any way they could support the embedded Like button without being vulnerable to clickjacking, since clickjacking prevention relies on not allowing your UI elements to be embedded in a hostile site while the Like button’s functionality depends on exactly that.

Tags: clickjacking, facebook, iframes, phishing, security, recovered, likebutton, likejacking

Busting frame busting: a study of clickjacking vulnerabilities at popular sites

2010-05-24T11:40:00+00:00

Busting frame busting: a study of clickjacking vulnerabilities at popular sites

Fascinating and highly readable security paper from the Stanford Web Security Research group. Clickjacking can be mitigated using framebusting techniques, but it turns out that almost all of those techniques can be broken in various ways. Fun examples include double-nesting iframes so that the framebusting script overwrites the top-level frame rather than the whole window, and a devious attack against the IE and Chrome XSS filters which tricks them in to deleting the framebusting JavaScript by reflecting portions of it in the framed page’s URL. The authors suggest a new framebusting snippet that should be more effective, but sadly it relies on blanking out the whole page in CSS and making it visible again in JavaScript, making it inaccessible to browsers with JavaScript disabled.

Via Jeremy Dunck

Tags: clickjacking, framebusting, iframes, javascript, security, xss, recovered

Facebook Adds Code for Clickjacking Prevention

2010-03-13T10:42:17+00:00

Facebook Adds Code for Clickjacking Prevention

Clever technique: Facebook pages check to see if they are being framed (using window.top) and, if they are, add a div covering the whole page which causes a top level reload should anything be clicked on. They also log framing attempts using an image bug.

Tags: clickjacking, facebook, framing, joey-tyson, phishing, security

The Dangers of Clickjacking with Facebook

2009-12-23T10:20:43+00:00

The Dangers of Clickjacking with Facebook

theharmonyguy compiled a list of actions that can be triggered on Facebook by a single click, and hence are vulnerable to clickjacking attacks. The list includes authorising malicious applications, posting links to profiles, sending friend requests and sending messages to other users. Why don’t Facebook include frame busting JavaScript on every page?

Tags: clickjacking, facebook, framebusting, phishing, security, theharmonyguy

New Facebook clickjacking attack in the wild

2009-12-22T18:52:00+00:00

New Facebook clickjacking attack in the wild

I’m not sure why Facebook don’t use frame-busting JavaScript to avoid this kind of thing. The attack is pretty crafty—a Facebook page is positioned with everything obscured bar part of the blue “share this” button, and a fake “Human Test” asks the user to find and click the blue button to continue.

Tags: clickjacking, facebook, phishing, security

Twitter Don't Click Exploit

2009-02-12T19:56:42+00:00

Twitter Don't Click Exploit

Someone ran a successful ClickJacking exploit against Twitter users, using a transparent iframe holding the Twitter homepage with a status message fed in by a query string parameter. Thiss will definitely help raise awareness of ClickJacking! Twitter has now added framebusting JavaScript to prevent the exploit.

Tags: chris-shiflett, clickjacking, framebusting, javascript, security, twitter

Ehy IE8, I Can Has Some Clickjacking Protection?

2009-01-29T13:39:34+00:00

Ehy IE8, I Can Has Some Clickjacking Protection?

IE8 has built-in protection against clickjacking, but it’s opt-in (with a custom HTTP header) and IE only. It turns out the usual defence against clickjacking (using framebusting JavaScript) doesn’t work in IE as it can be worked around with a security=“restricted” attribute on an iframe.

Via ha.ckers.org

Tags: clickjacking, http, ie8, iframes, internet-explorer, javascript, security

Web Security Horror Stories: The Director's Cut

2008-10-26T12:15:33+00:00

Web Security Horror Stories: The Director's Cut

Slides from the talk on web application security I gave this morning at <head>, the worldwide online conference. I just about managed to resist the temptation to present in my boxers. Topics include XSS, CSRF, Login CSRF and Clickjacking.

Tags: clickjacking, csrf, logincsrf, security, xss

Clickjacking and NoScript

2008-10-07T11:05:33+00:00

Clickjacking and NoScript

NoScript CAN protect against clickjacking, but only if you enable the “Plugins|Forbid IFRAME” option.

Via CiaranG

Tags: clickjacking, noscript, security

Dealing with UI redress vulnerabilities inherent to the current web

2008-10-07T09:59:58+00:00

Dealing with UI redress vulnerabilities inherent to the current web

The best explanation of clickjacking I’ve seen yet, complete with discussion of a number of non-ideal potential solutions. It looks like frame busting JavaScript will defeat it, but only for users who have JavaScript enabled—which means that in this case extensions like NoScript actually make you less safe. UPDATE: NoScript is smarter than I thought; see the comments.

Via A comment on Schneier on Security

Tags: clickjacking, javascript, noscript, security

This Week in HTML 5 - Episode 7: Clickjacking

2008-10-01T01:48:15+00:00

This Week in HTML 5 - Episode 7: Clickjacking

Clickjacking is when a third party site is embedded in an iframe with opacity 0 and positioned such that a click on the page actually hits a button on the now invisible third party site. Mark Pilgrim explains how the NoScript site uses this in a non malicious way to for the “install now!” button.

Tags: clickjacking, html5, iframes, mark-pilgrim, noscript, opacity, phishing, security