Facebook: Identity Disclosure through Followjacking

Using the Facebook follow button plugin on any third-party site, it is feasible to automatically disclose all public Facebook information if a user is currently logged into Facebook. Therefore, the clickjacking attack allows targetted attacks against the anonymity and the privacy of any Facebook user. In conjunction with connection-based data (such as IP geolocation, ISP information etc.), the attack can be used on a low scale in order to further deanonymize users (including the exposure of the user’s residence by consulting public phone books) to the third-party site with little interaction consisting of only one click. Since users have not necessarily chosen to make their public information available to any third-party using the follow button on their website, the attack violates Facebook’s privacy model. However, according to Facebook, it does not qualify for a bug fix.
Furthermore, the attack can be conducted on behalf of the user when using a registered Facebook application in order to detect whether the user is currently logged in or not.

The vulnerability can be reproduced in any modern browser which it is optimized for.

  1. Create a new Facebook account and add your mobile phone number in order to choose a username and allow public followers.
  2. Create a Facebook web application in order to make use of the login detection capabilities of the Facebook JavaScript API as described on developers.facebook.com.
  3. Detect on your third-party site whether the user is logged into Facebook. If so, create a follow button using the Facebook plugin API.
  4. Set the CSS opacity property of the button’s parent container to 0.0.
  5. Position the invisible follow button over a real button.
  6. Detect clicks on the iframe which represents the follow button by checking whether the mouse is hovered over the iframe and listening to the window blur event in order to perform an additional interaction to raise less suspicion when the apparently real button is clicked.
  7. Now wait for new Facebook followers to show up at your timeline’s follower section. This process can be automated.

According to Facebook, they have implemented backend heuristics detecting possible abuse of embedded plugins. Indeed, the attacker account was blocked from accepting new followers through the follow button after excessive testing. However, they have been proven to be useless in small-scale and specifically targetted attacks.

Countermeasures

  • Blocking third-party cookies in general is one countermeasure preventing this kind of attack. In this case, cookies are not transmitted when loading the subscription button. This means that a click onto the button will trigger a popup window asking the current user to log in.
  • The usage of browser extensions like Ghostery or AdBlock Plus is another method of preventing the subscription button to be rendered in the first place.
  • An implementation by Facebook to always trigger popups when interacting with “social” plugins asking for a confirmation would also eradicate the attack vector.
  • Proof of Concept

    Bookmark the permalink.

    Leave a Reply

    Your email address will not be published.