Friday, January 15, 2010

ClickJacking Facebook

Shlomo Narkolayev discovered that websites like Facebook and many others "protected" websites are vulnerable to ClickJacking attack.
Shlomo have informed some mass users websites like Facebook with his findings.

Here is Facebook response:
Our team looked at this. It's standard clickjacking and not unique to Facebook. We're building some additional protections for these types of attacks and reminding people to be cautious of any message, post, or link they find on Facebook or elsewhere on the Internet that looks suspicious.

"This demo video presenting how can I fool Facebook users to add applications to their account."

"I could write malicious application that steals users personal info or even simple application that build for me a bot net users for malicious purposes like hacking systems for SQL Injections and DDOS attacks.

Using ClickJacking i also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that posting their web camera and microphone every time they connected to Facebook - Just use your imagination on what you want others to click on...Transfer to you poker chips???"

Here's the online demo (Click here).
Using this demo you can check if your website is vulnerable to ClickJacking attacks. If you were able to click on links and buttons and other active objects in the hidden iFrame - so your website is vulnerable.


  1. ... using FireFox with installed NoScript Extension is eventually a good choice then ...

    :-) I tried the demo and FireFox warned me that I am going to fullfill a clickjack attack


  2. @ Marcel
    Indeed, to protect yourself against ClickJacking, it's better to use Firefox's AddOn "NoScript". It should protect against most of cases.

  3. Or disable iframes in your browser...

  4. I have tested this attack with OWA (Outlook web access) 2007, and find out that OWA is also vulnerable to ClickJacking.

  5. Thanks for sharing your information.
    What should we do in case of having a button at the bottom of a page which is more than 1 page?

  6. @ irsdl
    What you mean by saying: "...which is more than 1 page?" ?

  7. Shlomi get code pls :P
    try sour Hotmail contact me

  8. Dear readers, I recommend you install Comitari Web Protection Suite ( The free version provides bullet proof protection against ClickJacking (UI Redressing).

  9. Can you share the code please?
    Here is my email:

    1. Hi Migual, after the the vulnerability report, Facebook fixed the vulnerability, so I am not sure the code is relevant. Anyway, you can get the code from the online demo link.
      But Like-Jacking is still possible "by design".