Using the Facebook follow button plugin on any third-party site, it is feasible to automatically disclose all public Facebook information if a user is currently logged into Facebook. Therefore, the clickjacking attack allows targetted attacks against the anonymity and the privacy of any Facebook user. In conjunction with connection-based data (such as IP geolocation, ISP information etc.), the attack can be used on a low scale in order to further deanonymize users (including the exposure of the user’s residence by consulting public phone books) to the third-party site with little interaction consisting of only one click. Since users have not necessarily chosen to make their public information available to any third-party using the follow button on their website, the attack violates Facebook’s privacy model. However, according to Facebook, it does not qualify for a bug fix.
Furthermore, the attack can be conducted on behalf of the user when using a registered Facebook application in order to detect whether the user is currently logged in or not.
The vulnerability can be reproduced in any modern browser which it is optimized for.
- Create a new Facebook account and add your mobile phone number in order to choose a username and allow public followers.
- Detect on your third-party site whether the user is logged into Facebook. If so, create a follow button using the Facebook plugin API.
- Set the CSS opacity property of the button’s parent container to 0.0.
- Position the invisible follow button over a real button.
- Detect clicks on the iframe which represents the follow button by checking whether the mouse is hovered over the iframe and listening to the window blur event in order to perform an additional interaction to raise less suspicion when the apparently real button is clicked.
- Now wait for new Facebook followers to show up at your timeline’s follower section. This process can be automated.
According to Facebook, they have implemented backend heuristics detecting possible abuse of embedded plugins. Indeed, the attacker account was blocked from accepting new followers through the follow button after excessive testing. However, they have been proven to be useless in small-scale and specifically targetted attacks.