Simon Willison’s Weblog

Subscribe

Thursday, 3rd June 2010

“Likejacking” Takes Off on Facebook. The Facebook Like button is vulnerable to Clickjacking, and is being widely exploited. Since Likes show up in your Facebook stream, it’s an easy attack to make viral. The button is implemented on third party sites as an iframe, which would seem to me to be exploitable by design (just make the iframe transparent in the parent document and trick the user in to clicking in the right place). I can’t think of any way they could support the embedded Like button without being vulnerable to clickjacking, since clickjacking prevention relies on not allowing your UI elements to be embedded in a hostile site while the Like button’s functionality depends on exactly that.

# 10:01 am / clickjacking, facebook, iframes, likebutton, likejacking, phishing, security, recovered

2010 » June

MTWTFSS
 123456
78910111213
14151617181920
21222324252627
282930