Simon Willison’s Weblog

New Facebook clickjacking attack in the wild. I’m not sure why Facebook don’t use frame-busting JavaScript to avoid this kind of thing. The attack is pretty crafty—a Facebook page is positioned with everything obscured bar part of the blue “share this” button, and a fake “Human Test” asks the user to find and click the blue button to continue.

Posted 22nd December 2009 at 6:52 pm

Tagged clickjacking, facebook, phishing, security

7 comments

I agree that Facebook should do more to prevent this. They're lucky it's such an unconvincing attack; I bet it won't be very widespread.

Here's the attack uncovered for anyone who wants to take a peek (just don't click share):

http://j.mp/fbclickjacking

Chris Shiflett - 22nd December 2009 20:11 - #
The view count for this YouTube video is probably the best indicator of the attack's spread:

http://www.youtube.com/watch?v=abal5F862ss

Chris Shiflett - 22nd December 2009 21:28 - #
This is actually the second widespread clickjacking attack against Facebook; the first one was even more subtle.

I once put together a list of Facebook activities that could be executed via clickjacking: http://theharmonyguy.com/2009/10/14/the-dangers-of -clickjacking-with-facebook/

Given the range of possibilities, I'm also surprised Facebook doesn't offer any kind of clickjacking prevention.

theharmonyguy - 23rd December 2009 01:49 - #
Posts like this birghten up my day. Thanks for taking the time.

Lois - 8th October 2011 23:04 - #
Stay infromative, San Diego, yeah boy!

Judy - 10th October 2011 02:23 - #
I will recommend my friends to read this. Bottes UGGI am quite sure they will UGG Pas Cher learn lots of new stuff here than anybody else!
ugg pas cher - 28th October 2011 03:26 - #
Electric utility stocks and their dividend feature is great for retirement plans and a conservative way to play the recovery of the economy in a regular investment account. Buy canon ink cartridge
Groundless - 1st November 2011 06:43 - #

Comments are closed.