Facebook Vulnerability: Like Clickjacking

This is Matt Jones, an engineer on the site integrity team at Facebook. We're the ones who address issues like this one on Facebook.<p>Ultimately clickjacking / UI redress is a browser vulnerability - it shouldn't be possible to display one thing and have another receive user interactions. As some people have pointed out, Firefox's NoScript plugin does a pretty good job of preventing it. But that isn't to say victim web sites shouldn't do anything about it.<p>In the case of Like buttons, they inherently run in an iframe so our protection on the rest of facebook.com (<a href="http://theharmonyguy.com/2010/03/13/facebook-adds-code-for-clickjacking-prevention/" rel="nofollow">http://theharmonyguy.com/2010/03/13/facebook-adds-code-for-c...</a>) can't apply. However, Facebook knows the urls these buttons point to and generally knows or can infer the urls where they are embedded. When we detect a likejacking site on one of these urls, we block its url or domain from being liked and prevent future clicks on facebook.com from going to it.

<a href="http://vinhboy.com/blog/2010/05/31/facebook-man-with-the-biggest-trick/" rel="nofollow">http://vinhboy.com/blog/2010/05/31/facebook-man-with-the-big...</a> I also wrote about this like 2 months ago, and they still haven't done anything about it...<p>=(. Facebook CTO guy, are you around today?

Items like this will always be a never ending battle. Each time one side has to update their technology to stop something from the other they normally must gain more authority from the other. In the case of Facebook that will be asking for more rights into each website that wants to use the 'Like' button and with the recent privacy issues this will just kick the hornets nest all over again.

Unfortunately, the twitter clickjacking attack still isn't fixed. See <a href="http://seclab.stanford.edu/websec/framebusting/index.php" rel="nofollow">http://seclab.stanford.edu/websec/framebusting/index.php</a> for an overview of how that type of defense still can be defeated.

Its especially bad because of the way profile pages are organized. When you're viewing your own profile wall posts and status updates float to the top, while Likes, new friends, and other such ambient updates are further down. However, other people see the Like front and center on their News Feed.<p>I noticed this after several friends were liking "10 WORST construction mistakes", or similar. I asked several about it, and none of them had any idea it had happened.

Anything in an iframe or under an iframe is susceptible to clickjacking. Firefox + NoScript does a pretty good job of preventing this.