In this blogpost I will show you how to use a technique called ‘clickjacking’ to gain thousands of real Facebook likes, Twitter Followers, Google +1’s, you name it. You could potentially use this hack to get every single visitor of your website to like your Facebook page without them even knowing.
But more importantly, I will also show you how you can prevent this from happening to your website. Be ready for some technical terms. In order to be able to follow this tutorial, you should at the very least have some basic knowledge of HTML.
And please, before you read any further, be sure to read and understand the warning below!
What the heck is clickjacking anyways?
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
For example, imagine a hacker who builds a web site that has a button on it that says “click here to go to Google”. However, on top of that web page, the attacker has loaded an iframe with a Twitter Follow button, and lined up exactly the “Follow” button directly on top of the “click here to go to Google” button. The victim tries to click on the link to Google, but instead actually clicked on the invisible Twitter Follow button. The victim now starts to follow the attacker on Twitter without even knowing it. In essence, the attacker has “hijacked” the user’s click, hence the name “Clickjacking”.
Back in 2009, clickjacking made the news in the form of a Twitter worm. This clickjacking attack convinced users to click on a button which caused them to re-tweet a link to the malicious page, causing it to go viral.
Clickjacking was initially discovered by Robert Hansen and Jeremiah Grossman.
Digging in
In this demonstration, we are going to steal Facebook likes without the user knowing it.
In order to do this, we will be using a brand new tool called Quickjack (a brilliant but nasty tool by Samy Kamkar) to automatically generate the code that allows the victim to click anywhere on the page in order to get clickjacked. But before we can do any of that, we will have to create a like button.
Step 1: Creating a Facebook Like button
You can head over to this Facebook page which allows you to easily generate a like button. Make sure to disable the “Show Friends’ Faces” option, and don’t include the share button. Then click on the ‘Get code’ button.
Step 2: Set-up a page for the Like button
Now that we have the code for the like button, we will need a page to display it on. Copy and paste the code you just generated on Facebook into a blank HTML file, and make sure you upload it to your web server.
Step 3: Generate the clickjacking script
This is where the fun begins. Head over to the Quickjack tool I told you about earlier, and enter the link to your like button page in the input field. Then click on the ‘Go’ button next to the input:
Quickjack will load your like button into it’s page, but because the like button is so small, it will appear behind the input and buttons from Quickjack itself. Use the drag tool (black arrow icon on the top left) to drag Quickjack’s controls below your like button.
Next, we have to instruct Quickjack where we want to force the user to click. We want our victims to click on the like button, so go ahead and click on it. A red crosshairs will appear to indicate where you’ve set your click-target. You can now click on the “I’m done!” button to generate the code for the clickjack script.
Step 4: Let the clickjacking begin!
You can now simply copy the code that Quickjack has generated for you, and paste it to any (high-traffic) website you own. When a visitor clicks anywhere on that website, he or she will actually be pressing the like button you’ve just created.
Defending against Clickjacking
There are two main ways to prevent clickjacking:
- Sending the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains
- Employing defensive code in the UI to ensure that the current frame is the most top level window
I don’t want to make this article too technical, so for more information on Clickjacking defense, please head over to the Clickjacking Defense Cheat Sheet.
