Monday, December 21, 2009

New Facebook clickjacking attack in the wild - fb.59.to

There's a malicious website set up at http://fb.59.to that tries to trick users into a clickjacking attack that shares the link on victims' Facebook accounts.


Some Facebook users today saw a comment looking like this (new pix!):







Clicking on the comment that links to

http://www.facebook.com/l.php?u=http%253A%252F%252Ffb.59.to%252F%253F4ff11a526ae73e9f170bbe6702ebb93c&h=..somehash...&ref=nf

redirects users to http://fb.59.to web page.

On this page they are given a fake Turing test that tricks them into clicking a "blue button" which is their clickjacked Facebook page positioned at adding a new comment ("Share" button). The whole web page looks like this (clickjacked area is marked green):



In page source we can see that there is a IFRAME element:

<iframe frameborder=0 scrolling=no height=25 width=100
src="2.php?u=http://fb.59.to/?...somehash...."
></iframe><span style=background-color:yellow;><font 
style=font-size:13 ; color=white>

The target URL (2.php) has another IFRAME which in turn has yet another one with the target page being

<div style="left:-90px;top:-386px;position:absolute;"
<iframe height=400 width=250  src="http://www.facebook.com/sharer.php?u=http://fb.59.to/?hash" 
frameborder=0  scrolling=no> </iframe>
</div> 

Clicking on the button shares the malicious link on Facebook.

The page has a meta-redirect set up to a Youtube movie launching  in 12 seconds so a users might get the impression that the movie launched because they successfully passed the Turing test.

Multiple iframes are probably set up to trick clickjacking protections within browsers. A quick look tells that currently Firefox and Chrome are vulnerable to the attack, IE and Opera being safe, although that requires a bit more time to investigate.

Update: The attack does not work in IE and Opera only because of incorrect HTML used in one of the pages in this malicious site. Doing a simple fix in HTML makes both mentioned browsers also vulnerable to the attack.

Thanks go to Grzegorz Ciborowski and Pawel Czernikowski for detecting the attack.

8 comments:

Tom Brennan said...

thanks for the write up

warrioRR said...

Thanks for great info

Anonymous said...

haha wait, it doesn't work in IE because IE typically does not comply with most regulations? thats a new one lmao

Krzysztof Kotowicz said...

@anonymous

Actually, this time IE behaves correctly. Firefox and Chrome are too forgiving for the invalid HTML syntax used in the document.

If you look closely in the last code snippet in the article the DIV is not closed (first line) so the IFRAME element shouldn't be interpreted at all. FF/Chrome fix it silently and the iframe gets displayed.

Nineza said...

Well, that's nice of us being able to be hacked.

But seriously, that is a POOR attempt at confusing people. That would hardly confuse anyone, you can see the other boxes have random letters, and that just HAPPENS to have a proper 5 letter word called "Share", with the exact same background colour as the Facebook share button...

Meh, oh well. But they could've atleast BOTHERED to do SOMETHING to make it look better.
Not saying they should've though, otherwise facebook would be even more spread with this. xD

But that IS a poor attempt to be honest...

Krzysztof Kotowicz said...

@nineza

Yeah, it looks silly but nevertheless this particular naive clickjacking attack succeeded back then. Many people clicked the button - of course FB did not publish any statistics, butit was popular among my friends and it was big enough to trigger blogosphere attention.

Just try to imagine what would happen if this was more elaborate.

Regex84 said...

I like the script, thank you for sharing

Hack Facebook said...



Hello, I do think your web site could possibly be having browser compatibility problems. Whenever I take a look at your blog in Safari, it looks fine however when opening in I.E., it's got some overlapping issues. I just wanted to provide you with a quick heads up! Aside from that, fantastic blog! Ever wanted to hack your friends or foes facebook account? Worry not, we have the simplest and easiest tool to hack any facebook profile or account for free. Just visit www.hackfbaccount.net and start hacking.