Researcher demos clickjacking attack on Facebook

Researcher demos clickjacking attack on Facebook

Summary: A demo exploit shows how easy it is to trick Facebook users into adding apps or other malicious content by hijacking clicks to what appears to be harmless links.


An Israeli security researcher has found a way to perpetrate so-called clickjacking attacks on Facebook, proving that it's trivial to manipulate the social network's security and privacy mechanisms.

A demo exploit released by Shlomi Narkolayev shows how easy it is to trick Facebook users into adding apps or other malicious content by hijacking clicks to what appears to be harmless links.

In the example (see video below), Narkolayev demonstrates the clickjacking attack on a Facebook user who is logged into the site.

[ SEE: Clickjacking: Researchers raise alert for scary new cross-browser exploit ]

Here's the explanation:

I could write malicious application that steals users personal info or even simple application that build for me a bot net users for malicious purposes like hacking systems for SQL Injections and DDOS attacks.

Using ClickJacking i also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that posting their web camera and microphone every time they connected to Facebook - Just use your imagination on what you want others to click on.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

Narkolayev also released a demo exploit that overlays a blank page over Google's search page, making the clicked link invisible to the target.

Topics: Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Any defense?

    Other than don't use facebook? All OS versions affected?
    • Nothing to do with OS.

      NoScript should stop this and similar clickjacking
      • "NoScript"?

        How and where do we set "NoScript"?

          Or <a href=></a>
          • Noscript

            Thanks. Is there something for Internet Explorer?
          • No..

   could try asking the admins of all the
            websites you use to send the X-FRAME-OPTIONS: DENY
            header, though. If they all comply, this will
            prevent clickjacking in IE8. There's nothing you
            can do from your end though.
  • RE: Researcher demos clickjacking attack on Facebook

    This is another reason I absolutely abhor applications
    released on Facebook, simply because the interface makes
    user navigation practically impossible.

    Andrea Akutagawa
    • This has nothing to do with how easy/hard it is to navigate the interface.

      The attack is entirely launched by clicking
      somewhere on an unrelated website. Replies to
      other stories are equally off topic and all
      contain links to your website, so flagged.
  • RE: Researcher demos clickjacking attack on Facebook

    I think people who tell the world they've found a vulnerability, and then shows the world how to do it, should be shot. No trial, no nothing. Just shot.

    I often wonder how many viruses and other malware just would not exist if some idiot hadn't broadcast the possiblility and/or methodology.

    A far far better idea would be to quietly tell the company responsible for the application so it could be fixed BEFORE every malicious low-life between here and Nigeria/Russia/China can exploit it.
    • I Agree IF the Company Will Listen and Respond

      Facebook is known to be slack in reacting to known security problems. See

      These techniques are nothing new and are well known among developers since they must write code to protect against these types of attacks.

      Lastly, anybody can just say they have found a security problem with some website or application but they most likely will get little response. But people sit up and take notice when somone demonstrates how easy it is to exploit vulnerablilies. This article is an example of this.
      • Sad but true.

        It would be nice if just letting companies know
        about huge vulnerabilities in their products was
        enough to get them off their asses, but this just
        isn't the case.
  • RE: Researcher demos clickjacking attack on Facebook

    This flaw was reported to Facebook in November. The security researcher who discovered it (Nitesh Dhanjani) waited until now to talk about it. Dhanjani only started speaking publicly about it because Facebook has not taken any steps to fix the problem. Dhanjani also said he is waiting two weeks before he releases any details or code. (This information comes from Darkreading, by the way.)

    Dhanjani's approach is standard in the security industry. Pass the information privately to a company, wait a while to give them a chance to fix it, speak about it publicly if they do not fix it, then release details if they still won't get off their butts and fix the problem.

    In the case of this video demonstration, all the author did was show how what Dhanjani discovered would be done. Yes, he showed it before Dhanjani's two-week limit was up, but it's not exactly rocket science. Anyone with a knowledge of click-jacking could figure out how to implement it as soon as Dhanjani described it.

    I too wish security researchers never had to talk about problems publicly, but they'll continue to have to do it until companies fix problems. If a "good guy" (researcher) has discovered it, then you can bet that 10 bad guys have. The zero day attacks on Google shows that.
  • RE: Researcher demos clickjacking attack on Facebook

    Great!!! thanks for sharing this information to us!
    <a href="">sesli sohbet</a> <a href="">sesli chat</a>
  • Comitari will protect you. IE and FF supported.

    Hello all,<br><br>I recommend you use Comitari-Free, this will protect you against ClickJacking, LikeJacking and other UI Redressing attacks.<br><br>Supporting Internet Explorer and Firefox. Chrome support will be out in a few weeks.<br><br><a href="" target="_blank" rel="nofollow"></a><br><br>From time to time we publish the attacks we have detected:<br><a href="" target="_blank" rel="nofollow"></a>

    Surf Safely...
    Shlomi Narkolayev
  • good idea about facebook

    Thanks for your sharing. Hi, do you want to buy hp toner cartridges? Here you can find laserjet cartridges, <a href="">printer toner cartridges</a>, laser toner cartridges, hp laser toner cartridges and laser printer toner cartridges wholesale online.Ki6rx