This has NOTHING to do with clickjacking. Here is a short video demonstrating this exploit in action (I suggest you watch it in full screen HD to see the details): I'll preface this thread with a warning - this is a LONG thread. In addition, I'll also warn the coders out there that the code being shared here is in some places, quite sloppy. It works, but this is far from refined. And again, while it works 100%, there are some places where the implementation is a bit sloppy as well. I put this together pretty quickly and just haven't gotten around to really refining it into a "nicer" package. THIS ONLY WORKS IN FIREFOX - IT WILL NOT WORK IN ANY OTHER BROWSER - This is the ONLY reason I did not share this in Exec VIP, or even Jr. VIP for that matter. This limited scope of functionality is the reason you're seeing this posted here. If a mod is reading this and you feel it should be hidden, feel free to go ahead and move it as you see fit to wherever you'd like. Demo URL: http://crazyflx.com/fbexploit/ - YOU MUST BE LOGGED INTO FACEBOOK - I didn't feel like adding the facebook login detection to this. I might later, but at the moment, you'll have to be logged into facebook and be using FireFox to see the demo URL work correctly. A post is going to be made to your timeline and the timelines of all of your friends. If you're not comfortable with this, don't submit the form at the URL above. I'll never have direct access to your account (like the ability to log into your account for instance). I won't get your password to log into facebook. What Does it Do? If you are logged into Facebook and you're using Firefox and you browse to the demo URL, you'll be prompted to enter a captcha code. Upon submitting a correctly entered captcha code, a post will be made to your facebook timeline and the timeline of every one of your friends. You will never be prompted to give permission to an app, you won't see a popup, you won't have to do anything in fact, except enter the captcha code and submit it. How Does it Work? I'll try to be brief here. First off, we're taking advantage of an unpatched security exploit in Firefox and exploiting something that Facebook is doing. The firefox security exploit is iFraming the source code of another page. This should not be allowed to happen, and they did in fact make sure that you couldn't iframe the source code of another page like this: Code: <iframe name="foo" width="10000px" height="10000px" src="view-source:http://test.com"></iframe> So, they were on the right track. However, they forgot to ALSO not allow you to iframe their "firefox specific" type tabs, like, for instance, the "feed" tab. I don't know the correct verbiage for this, but you can see what I mean if instead of trying to iFrame "view-source:http://test.com" you iframe this instead: "view-source:feed:view-source:https://test.com". If firefox, what you'll see happen, is that I can display the source code of another site on my site...this is the first step in doing some "blackhat magic". Now, let's get back to facebook and tie that in with what we just went over. When you go to any website and enter information and click the "submit" button, you're submitting a form to some location. On facebook, when you fill in a post to make to your timeline, and you click "submit", that form is submitted to their site. What's to prevent me from simply copying those form fields (the form itself) and putting it up on my website and then filling the information in and submitting it to facebook...well, a lot actually. They have a special token that is generated for every single user that is logged into facebook. This token changes randomly and for all intents and purposes, is impossible to figure out and is unique to every single user on facebook. This token is called (on facebook) "fb_dtsg". This is their CSRF protection...CSRF stands for "cross site request forgery". In other words, that token prevents a person from submitting a form from http://NotFacebook.com to http://Facebook.com. However, if you were to get your hands on that token, you CAN submit a form on the token owners behalf from any website to facebook.com and it will work (NOT a cURL POST, as that happens server side and you need a LOT more info than just the CSRF token). What I mean is, you can submit a regular web form client side to facebook.com from a different URL. Facebook has iframing protection on their entire site using x-frame options. This iframing protection means that, at the browser level, all attempts to iframe will be stopped. However, because Facebook has all these fancy "plugins" (can be viewed here: https://developers.facebook.com/docs/plugins/ - the "like button" is an example of an FB plugin) that are allowed to be used on sites other than facebook, they have to allow iframing of certain URLs, otherwise having a likebutton on your website could never happen. That means that all of the plugin URLs (they start with: https://www.facebook.com/plugins/ and end with a variety of different things, all of which can be found at the fb.com/plugins URL referenced above) can be iframed. It just so happens that facebook has included the CSRF token right there in the source code of these iframe-able URLs. Combine this with the firefox security exploit and we've got ourselves the perfect storm of the makings of some real blackhat magic! Step by Step Breakdown Alright, I'm going to give an explanation of exactly what is happening in as few words as possible. Here is the "flow" of what happens when you arrive at the demo URL. You arrive at URL and are prompted to enter a captcha code. The "captcha code" that you're presented with, is actually your FB CSRF token, which is being displayed to you by iframing this URL: feed:view-source:https://www.facebook.com/plugins/registration (again, only works in firefox). That's not quite enough however, as simply iframing that URL doesn't give any control of what part of the source code is displayed. So we create an iframe on "fb-register.html" and iframe that URL. Then, on the page you arrive at in the demo URL, we have iframed THAT url (resulting in a double nested set of iframes). By iframing the URL we have our iFrame on, we can control what part of the source code is displayed on the URL you arrive at in the demo. So we control it to show only the CSRF token. You then enter the token and click submit. What happens then is a form is submitted from the demo URL to facebook.com. What form you ask? Well, the form that is normally submitted when you grant access to your facebook account to an application. You can see an example of the form that is going to be submitted on your behalf if you enter the "captcha" on the demo URL by visiting this URL directly: https://www.facebook.com/dialog/oauth?client_id=189770671194636&redirect_uri=http://crazyflx.com The form that is submitted when you click the "okay" button on that page is the form that is going to be submitted from my site to facebook...using the CSRF token you just provided me with. The reason we can make a PHP POST to the submission page from my site, is because that would require access to all of your FB cookies, which I don't have access to. If I simply submit a "web form" however, facebook only checks the CSRF token and if it's valid, it will generate all the rest of the required information for me since the form submission is actually happening "client side" (on your PC) and not server side (on my server). What happens then is you've just marked one of my facebook applications as having permission to access your account (it's basic info like name, user ID and a few other things)...however, that's not enough. That isn't going to get me a list of all your friends...and I need that list to post to their timelines. What I need now is to mark your account as having given access to another one of my facebook applications...but this second one will give me access to the whole enchilada...friends lists, your email, full name, birthday...literally everything. Unfortunately, facebook recently made it so that you have to go through more than one step to get these "elevated" application permissions...meaning more than one form submission, which we can't "fake" since that would require user interaction (and we're making all this happen silently). However, they left behind the functionality to give access to any amount of permissions you want if you clicked the "visit website" button on an app in the appcenter, like what you can see here: https://www.facebook.com/appcenter/eighttracks So if I have an app that has all the permissions I want and I have your CSRF token, I can "submit the form" that is submitted when you click that "visit website" button from my site and then I've got everything! However, to submit that form, I need your CSRF token AND I need your user ID (not your username, but the actual number string associated with your account). Well, because I just marked you as giving my "regular permissions" app access a moment ago, I now have access to your user ID. So, using your user ID and the CSRF token you already gave me, I'll now go ahead and submit a different form that marks you as having given my second application full permissions to post to your timeline and your friends timelines. Now that I've marked my two applications as having access to your account, I just need to make the posts! The first post, to your timeline, can be done using the facebook SDK since I now have a valid access token that was generated immediately upon marking you as having marked my applications as "approved". Unfortunately, facebook recently removed the ability for an app to post to friends timelines (as far as I know). Fortunately, since I've got your CSRF token, I can forge that form submissions too! So using my valid access token, the demo URL generates a list of all of your accounts friends ID's. It then loops through these ID's submitting form after form using the ID and your CSRF token (that you provided me with). How to Set it Up I'm going to be very brief here...not only am I tired, but it's almost more work to explain how to set it up than it is for you to just go ahead and grab the files and start playing around with it yourself. I'm obviously going to provide the files below, but there are a few things you absolutely must do first. Make two applications on facebook. Sign into a facebook account and go here: https://developers.facebook.com/apps?ref=mb Then make two applications. You can use all of the default values and name them whatever you want, it doesn't matter. After they are created, click the "edit" button for one of the apps (that will have the elevated permissions) and click on "permissions" Make sure you have "publish_actions" and "read_friendlists" as permissions. You can actually go ahead and add every single possible permission to it, as the more you add, the more things you can do later using only PHP code (so the person doesn't even have to be on your site and you can be posting to their account/getting their info). Make sure you also set the "default activity privacy" to public (this setting is also on the permissions page). Then, lastly, for each of these two apps, note & save the "App ID" and the "App Secret" (these can be found on the "basic" tab after you are editing an app). Get the Files I have included one download link. It downloads a zipped package that contains two folders. One folder is "php-sdk" which contains the PHP SDK as provided by facebook. The other contains a folder labelled "demo" and contains all the files needed to achieve what you see on the demo URL and everything that is gone over above. You should upload both of these folders to the root of your site so you can access the by going to: http://yoursite.com/php-sdk & http://yoursite.com/demo Download Link: http://www.mediafire.com/download/4ur8z309ewdx022/folders.rar You'll have to edit the following files in the demo folder: CHANGE APP ID VALUE IN FRIENDS-POST.PHP CHANGE APP ID AND APP SECRET IN POST.PHP CHANGE APP ID IN GRANT-READ & GRANT-WRITE PERMISSIONS.HTML FILES CHAGE APP ID & APP SECRET IN URLS IN TOKEN.PHP I have tried to designate in each of the files, using long strings of XXXXXXXX where you need to replace the app ID's & app secrets. You're also going to have to replace any instance of "crazyflx.com/fbexploit" with your site and the folder you uploaded the files in the demo folder to. As Always, Any Questions - Fire Away! Enjoy!