1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible to clickjack App Installs?

Discussion in 'FaceBook' started by baneboyz, Mar 22, 2011.

  1. baneboyz

    baneboyz Junior Member

    Joined:
    Jan 17, 2009
    Messages:
    112
    Likes Received:
    3
    People are 'clickjacking' likes for their pages...was wondering if its possible to click jack installation of an app? Or is it a completely different setup??

    Thanks!
     
  2. Checkmate

    Checkmate Elite Member

    Joined:
    Aug 9, 2010
    Messages:
    1,534
    Likes Received:
    637
    Not possible because of the permissions they must accept.
     
  3. Website

    Website Supreme Member

    Joined:
    Feb 8, 2008
    Messages:
    1,291
    Likes Received:
    286
    Location:
    whitehouse
    no because the permission box cannot be iframed
     
  4. captchaman

    captchaman Junior Member

    Joined:
    Sep 16, 2010
    Messages:
    190
    Likes Received:
    842
    Occupation:
    Software Programmer
    Location:
    USA


    What about webbrowser or shelling the default webbrowser?
     
  5. Jason2010

    Jason2010 BANNED BANNED

    Joined:
    Aug 18, 2010
    Messages:
    188
    Likes Received:
    91
    I can't do it, but i bet there is a way
     
  6. ADRENALINE

    ADRENALINE Registered Member

    Joined:
    May 14, 2010
    Messages:
    52
    Likes Received:
    4
    Very good post. I was thinking the same question... But like already say, impossible to iframe it... :/
     
  7. RSnake

    RSnake Newbie

    Joined:
    Apr 21, 2011
    Messages:
    3
    Likes Received:
    0
    It's impossible in most cases. In others, not so much. It simply depends on what you're installing or forcing someone to accept. If you are installing something that requires a modal dialog, no, everyone above me is correct. If you're installing something that doesn't require a modal dialog but actually shows up on the page (like Flash tends to). Lots of activeX controls are on-page, so once they're installed they tend to not create modal dialogs for actions (think Webcasting software). Since they are part of the page, there is a high chance they'll be vulnerable.
     
  8. xxMP3xx

    xxMP3xx Regular Member

    Joined:
    May 19, 2009
    Messages:
    368
    Likes Received:
    46
    Location:
    <?php return 'CPU'; ?>
    I guess facebook connect does not require so much explanation as in the code itself, code is written to check for cj.

    Try a simple iframe the connect utility and see in tamper data, an alert is send of possible clickjacking. I have tried it.
     
  9. xxMP3xx

    xxMP3xx Regular Member

    Joined:
    May 19, 2009
    Messages:
    368
    Likes Received:
    46
    Location:
    <?php return 'CPU'; ?>
    You are wrong, every web page can be iframed, but connect page is a sort of iframe breaker, thats where it is impossible to iframe. :rolleyes:
     
  10. ballot

    ballot Registered Member

    Joined:
    Dec 17, 2007
    Messages:
    92
    Likes Received:
    8
    its possible to iframe perm request page only in ie7/8/9 by a bug that i know but i dont know how to click jack in ie
     
  11. xxMP3xx

    xxMP3xx Regular Member

    Joined:
    May 19, 2009
    Messages:
    368
    Likes Received:
    46
    Location:
    <?php return 'CPU'; ?>
    Can you show sample code?

    I can help in producing for other browsers too.
     
  12. ballot

    ballot Registered Member

    Joined:
    Dec 17, 2007
    Messages:
    92
    Likes Received:
    8
    pm me how can clickjack in ie,and i will reply how to iframe facebook app page,and lets work to configure it :p
     
  13. xxMP3xx

    xxMP3xx Regular Member

    Joined:
    May 19, 2009
    Messages:
    368
    Likes Received:
    46
    Location:
    <?php return 'CPU'; ?>
    Well unless I have some basic code, I can't modify it. I can try to make it work. I never said I made it work lol.
     
  14. ballot

    ballot Registered Member

    Joined:
    Dec 17, 2007
    Messages:
    92
    Likes Received:
    8
    search in forum for "Basic Forced Like"
     
  15. xxMP3xx

    xxMP3xx Regular Member

    Joined:
    May 19, 2009
    Messages:
    368
    Likes Received:
    46
    Location:
    <?php return 'CPU'; ?>
    Like and app installs have difference my friend.
     
  16. ballot

    ballot Registered Member

    Joined:
    Dec 17, 2007
    Messages:
    92
    Likes Received:
    8
    is this a joke?
    i say you i can bypass top.location.href blabla thing so i can iframe the request page in internet explorer but there is no any click jack app for ie
     
  17. xxMP3xx

    xxMP3xx Regular Member

    Joined:
    May 19, 2009
    Messages:
    368
    Likes Received:
    46
    Location:
    <?php return 'CPU'; ?>
    Read my comment just after ur reply.

    I asked you that basic code. Didn't I ? It seems you have major understanding problem.
     
  18. ballot

    ballot Registered Member

    Joined:
    Dec 17, 2007
    Messages:
    92
    Likes Received:
    8
    i have pages with 500k liked,and an app with 115k user

    and i still didnt understand the difference between like and app install

    as example with a like page and this have no difference

    PHP:
    facebook dot com/connect/uiserver.php?display=wap&next=https%3A%2F%2Fgraph.facebook.com%2Foauth%2Fauthorize_success%3Fredirect_uri%3Dhttp%253A%252F%252Fwww.siz.net%252Ft.html%26client_id%3D133428240003776%26type%3Duser_agent&app_id=2318966938&method=permissions.request
    just the button of the allow is bottom of the page you can fix it by iframe 's variables
     
  19. xxMP3xx

    xxMP3xx Regular Member

    Joined:
    May 19, 2009
    Messages:
    368
    Likes Received:
    46
    Location:
    <?php return 'CPU'; ?>
    Facebook has javascript code (at least in the api-related pages) that checks whether it's being loaded in an iframe and disables the page. I think this is to prevent clickjacking.

    Facebook doesn't want you to do what you're trying to do. Use a popup window instead.
     
  20. ballot

    ballot Registered Member

    Joined:
    Dec 17, 2007
    Messages:
    92
    Likes Received:
    8
    yes exaclty that's what i want to say
    i can bypass/remove these lines in internet explorer but i have no any working clickjack app for internet explorer i hope

    i talk about these lines these are not problem

    HTML:
    function si_cj(m) {
        setTimeout(function () {
            new Image().src = ":\/\/error dot facebook dot com\/common\/scribe_endpoint.php?c=si_clickjacking&t=7437" + "&m=" + m;
        }, 5000);
    }
    if (top != self) {
        try {
            if (parent != top) {
                throw 1;
            }
            var si_cj_d = ["app dot facebook.com", "\/pages\/", "apps dot beta dot facebook.com"];
            var href = top.location.href.toLowerCase();
            for (var i = 0; i < si_cj_d.length; i++) {
                if (href.indexOf(si_cj_d[i]) >= 0) {
                    throw 1;
                }
            }
            si_cj("3 ");
        } catch (e) {
            si_cj("1 \t");
            window.document.write("\u003cstyle>body * {display:none !important;}\u003c\/style>\u003ca href=\"#\" onclick=\"top.location.href=window.location.href\" style=\"display:block !important;padding:10px\">Facebook dot com'a git\u003c\/a>");