Some Facebook users today saw a comment looking like this (new pix!):
Clicking on the comment that links to
http://www.facebook.com/l.php?u=http%253A%252F%252Ffb.59.to%252F%253F4ff11a526ae73e9f170bbe6702ebb93c&h=..somehash...&ref=nf
redirects users to http://fb.59.to web page.
On this page they are given a fake Turing test that tricks them into clicking a "blue button" which is their clickjacked Facebook page positioned at adding a new comment ("Share" button). The whole web page looks like this (clickjacked area is marked green):
In page source we can see that there is a IFRAME element:
<iframe frameborder=0 scrolling=no height=25 width=100 src="2.php?u=http://fb.59.to/?...somehash...." ></iframe><span style=background-color:yellow;><font style=font-size:13 ; color=white>
The target URL (2.php) has another IFRAME which in turn has yet another one with the target page being
<div style="left:-90px;top:-386px;position:absolute;" <iframe height=400 width=250 src="http://www.facebook.com/sharer.php?u=http://fb.59.to/?hash" frameborder=0 scrolling=no> </iframe> </div>
Clicking on the button shares the malicious link on Facebook.
The page has a meta-redirect set up to a Youtube movie launching in 12 seconds so a users might get the impression that the movie launched because they successfully passed the Turing test.
Update: The attack does not work in IE and Opera only because of incorrect HTML used in one of the pages in this malicious site. Doing a simple fix in HTML makes both mentioned browsers also vulnerable to the attack.
Thanks go to Grzegorz Ciborowski and Pawel Czernikowski for detecting the attack.
8 comments:
thanks for the write up
Thanks for great info
haha wait, it doesn't work in IE because IE typically does not comply with most regulations? thats a new one lmao
@anonymous
Actually, this time IE behaves correctly. Firefox and Chrome are too forgiving for the invalid HTML syntax used in the document.
If you look closely in the last code snippet in the article the DIV is not closed (first line) so the IFRAME element shouldn't be interpreted at all. FF/Chrome fix it silently and the iframe gets displayed.
Well, that's nice of us being able to be hacked.
But seriously, that is a POOR attempt at confusing people. That would hardly confuse anyone, you can see the other boxes have random letters, and that just HAPPENS to have a proper 5 letter word called "Share", with the exact same background colour as the Facebook share button...
Meh, oh well. But they could've atleast BOTHERED to do SOMETHING to make it look better.
Not saying they should've though, otherwise facebook would be even more spread with this. xD
But that IS a poor attempt to be honest...
@nineza
Yeah, it looks silly but nevertheless this particular naive clickjacking attack succeeded back then. Many people clicked the button - of course FB did not publish any statistics, butit was popular among my friends and it was big enough to trigger blogosphere attention.
Just try to imagine what would happen if this was more elaborate.
I like the script, thank you for sharing
Hello, I do think your web site could possibly be having browser compatibility problems. Whenever I take a look at your blog in Safari, it looks fine however when opening in I.E., it's got some overlapping issues. I just wanted to provide you with a quick heads up! Aside from that, fantastic blog! Ever wanted to hack your friends or foes facebook account? Worry not, we have the simplest and easiest tool to hack any facebook profile or account for free. Just visit www.hackfbaccount.net and start hacking.
Post a Comment