Hacking the Facebook like button with Clickjacking
As I heard there are some websites around making people click a video which then leads to an automatical “like” call in facebook. As this solution—having to click a video before—does not seem enough to me, I tried an own implementation of a facebook button being clicked unknowingly or even being sent unknowingly.
Following the user’s mouse
So the only possible approach to collect “like” clicks without users willingly clicking your button really seems to be to make the button invisible and put it somewhere the user will click. But instead of only puttin the like button somewhere the user will possibly click, you can also let the button follow the user’s mouse. This means, the user does not have to click any special point, but he can click anywhere on the website to execute the “like” event.
Implemented in jQuery this looks pretty straight forward:
The HTML source also needs some tweaking. You have to give the iframe an ID to access it and you need to add position: absolute.
Making the button disappear
Of course this is not a good implementation yet, as the user can see the button following his mouse, so we have to make it invisible. All we have to do for this is adding some CSS stuff for making elements invisible in different browsers.
As a web developer you probably recognize the first problem now: NoScript users get warned that there might be a clickjacking attack.
Remove element after usage
Since the element does block clicks on other elements, it has to be removed after usage. Some good JS hackers could probably catch the click positions and redirect them to the actual target (e.g. a link or a button), but for now we will stay with the user being confused why his click did not work (cf. German movie “23 – Nichts ist so wie es scheint” in which Karl Koch develops a predecessor of man-in-the-middle that only reads the password, but does not pass it on; the first login fails, users are confused, but they just reenter it a second time).
- A problem remaining is the cursor always displaying a link as it does not seem possible to influence the cursor’s style within the iframe.
- As already mentioned, the user’s first click will not be grabbed in the parent window, either, so he might get suspicious.
- And finally NoScript users might kick your ass…