Possible to clickjack App Installs?

baneboyz

Junior Member
Joined
Jan 17, 2009
Messages
112
Reaction score
3
People are 'clickjacking' likes for their pages...was wondering if its possible to click jack installation of an app? Or is it a completely different setup??

Thanks!
 
no because the permission box cannot be iframed
 
Very good post. I was thinking the same question... But like already say, impossible to iframe it... :/
 
It's impossible in most cases. In others, not so much. It simply depends on what you're installing or forcing someone to accept. If you are installing something that requires a modal dialog, no, everyone above me is correct. If you're installing something that doesn't require a modal dialog but actually shows up on the page (like Flash tends to). Lots of activeX controls are on-page, so once they're installed they tend to not create modal dialogs for actions (think Webcasting software). Since they are part of the page, there is a high chance they'll be vulnerable.
 
It's impossible in most cases. In others, not so much. It simply depends on what you're installing or forcing someone to accept. If you are installing something that requires a modal dialog, no, everyone above me is correct. If you're installing something that doesn't require a modal dialog but actually shows up on the page (like Flash tends to). Lots of activeX controls are on-page, so once they're installed they tend to not create modal dialogs for actions (think Webcasting software). Since they are part of the page, there is a high chance they'll be vulnerable.

I guess facebook connect does not require so much explanation as in the code itself, code is written to check for cj.

Try a simple iframe the connect utility and see in tamper data, an alert is send of possible clickjacking. I have tried it.
 
no because the permission box cannot be iframed

You are wrong, every web page can be iframed, but connect page is a sort of iframe breaker, thats where it is impossible to iframe. :rolleyes:
 
its possible to iframe perm request page only in ie7/8/9 by a bug that i know but i dont know how to click jack in ie
 
its possible to iframe perm request page only in ie7/8/9 by a bug that i know but i dont know how to click jack in ie

Can you show sample code?

I can help in producing for other browsers too.
 
pm me how can clickjack in ie,and i will reply how to iframe facebook app page,and lets work to configure it :p
 
pm me how can clickjack in ie,and i will reply how to iframe facebook app page,and lets work to configure it :p

Well unless I have some basic code, I can't modify it. I can try to make it work. I never said I made it work lol.
 
Like and app installs have difference my friend.

is this a joke?
i say you i can bypass top.location.href blabla thing so i can iframe the request page in internet explorer but there is no any click jack app for ie
 
is this a joke?
i say you i can bypass top.location.href blabla thing so i can iframe the request page in internet explorer but there is no any click jack app for ie

Read my comment just after ur reply.

I asked you that basic code. Didn't I ? It seems you have major understanding problem.
 
Read my comment just after ur reply.

I asked you that basic code. Didn't I ? It seems you have major understanding problem.

i have pages with 500k liked,and an app with 115k user

and i still didnt understand the difference between like and app install

as example with a like page and this have no difference

PHP:
facebook dot com/connect/uiserver.php?display=wap&next=https%3A%2F%2Fgraph.facebook.com%2Foauth%2Fauthorize_success%3Fredirect_uri%3Dhttp%253A%252F%252Fwww.siz.net%252Ft.html%26client_id%3D133428240003776%26type%3Duser_agent&app_id=2318966938&method=permissions.request

just the button of the allow is bottom of the page you can fix it by iframe 's variables
 
i have pages with 500k liked,and an app with 115k user

and i still didnt understand the difference between like and app install

as example with a like page and this have no difference

PHP:
facebook dot com/connect/uiserver.php?display=wap&next=https%3A%2F%2Fgraph.facebook.com%2Foauth%2Fauthorize_success%3Fredirect_uri%3Dhttp%253A%252F%252Fwww.siz.net%252Ft.html%26client_id%3D133428240003776%26type%3Duser_agent&app_id=2318966938&method=permissions.request

just the button of the allow is bottom of the page you can fix it by iframe 's variables

Facebook has javascript code (at least in the api-related pages) that checks whether it's being loaded in an iframe and disables the page. I think this is to prevent clickjacking.

Facebook doesn't want you to do what you're trying to do. Use a popup window instead.
 
Facebook has javascript code (at least in the api-related pages) that checks whether it's being loaded in an iframe and disables the page. I think this is to prevent clickjacking.

Facebook doesn't want you to do what you're trying to do. Use a popup window instead.

yes exaclty that's what i want to say
i can bypass/remove these lines in internet explorer but i have no any working clickjack app for internet explorer i hope

i talk about these lines these are not problem

HTML:
function si_cj(m) {
    setTimeout(function () {
        new Image().src = ":\/\/error dot facebook dot com\/common\/scribe_endpoint.php?c=si_clickjacking&t=7437" + "&m=" + m;
    }, 5000);
}
if (top != self) {
    try {
        if (parent != top) {
            throw 1;
        }
        var si_cj_d = ["app dot facebook.com", "\/pages\/", "apps dot beta dot facebook.com"];
        var href = top.location.href.toLowerCase();
        for (var i = 0; i < si_cj_d.length; i++) {
            if (href.indexOf(si_cj_d[i]) >= 0) {
                throw 1;
            }
        }
        si_cj("3 ");
    } catch (e) {
        si_cj("1 \t");
        window.document.write("\u003cstyle>body * {display:none !important;}\u003c\/style>\u003ca href=\"#\" onclick=\"top.location.href=window.location.href\" style=\"display:block !important;padding:10px\">Facebook dot com'a git\u003c\/a>");
 
Back
Top