Twitter and Facebook, and the rise of clickjacking.
It is quite evident that clickjacking is becoming more and more popular amongst popular social networking sites. I believe this to be the case strictly because of the simplicity, flexibility, and effectiveness of the CSRF variant.
Clickjacking first got my attention through this article I came across at Guya.net which exemplifies how a users webcam can become comprised by utilizing clickjacking to manipulate how your webcam can be accessed by flash on Adobe’s website.
Quite honestly, anybody with a basic knowledge of HTML, and a tiny bit of creativity, can embed an iframe into a malicious site and point their sources to any other website with a clickable element. But the beauty of clickjacking is that you can bypass any form of authenticity or session token passed from the victims browser session to the target server without any means of obtaining that token individually. Your basic CSRF vulnerability on a server that allows something such as: “http://bank.com/withdraw?total=1000&from=victim&to=attacker” can be patched by adding in any form of session or authenticity token and passing that along with the other variables. But since clickjacking is just embedding the website directly into a malicious website and convincing the user to click something on that site, any need to obtain that token individually, which is not a simple task due to the same origin policy, is bypassed.
Facebook has most recently been hit with two clickjacking worms that interestingly enough, propagated at immense speeds. Facebook’s first attack, noted for its tagline “Click Da’ Button, Baby!”, was really the first time clickjacking has been used in the wild. When the victim actually clicks the button, he/she is actually clicking the ‘Share’ button on Facebook which has been embedded in a multiple iframes, given an opacity of 0, and overlapped on the big red button. Clicking the share button in turn shares the malicious URL to all of your other friends in an attempt to infect their sessions as well. In another recent clickjacking attack against Facebook, you can actually see part of the “Share” button on the page.
if (window.top !== window.self)
document.write = "";
window.top.location = window.self.location;
I like how they set the innerHtml of the body to nothing after 1 millisecond, so even if you attempt to stop the page load, it would just show the background. Unfortunately, this is not the case with the mobile website. The simplicity of many other popular social networking mobile websites makes many of them a perfect target of clickjacking. Because the security measures built into the robust standard site cannot be used in the mobile versions of the site because of the platform that they are being accessed on. And that is exactly what I, and others, are demonstrating. By simply embedding an iframe with a source of “http://m.twitter.com/home?status=Clickjacked” or with a source of “http://m.facebook.com/sharer.php?u=http://en.wikipedia.org/wiki/Clickjacking”, the GET variables ‘status’ and ‘u’, are automatically inserted into their corresponding text boxes. And with a little CSS, I aligned both iframes in such a way that the update status button and the share button are on top of the input buttons on the main page with an opacity of 0. I put together a simple proof of concept of such an attack to demonstrate this more clearly. This demo was made for Firefox. The styles can be manipulated to work with other browsers that allow clickable iframes with an opacity of 0.
Implementing worm-like propagation on social websites such as Facebook or Twitter, or taking advantage of One-Click purchase buttons in Amazon, makes clickjacking a serious threat. Thankfully, browsers such as Safari and Internet Explorer 8, have implemented clickjacking protection, but it’s always best to protect yourself. For Firefox users, I suggest the ‘NoScript‘ plug-in.