Hacks InfoSec Technology

Facebook Tabnabbing Proof of Concept

By on December 3, 2016

This is a demonstration of how it can be easy to hack into website accounts with an extremely basic phishing attack.

*The test site is no longer live, but I have included relevant source code in this article.

http://searchsecurity.techtarget.com/definition/phishing

Source: http://searchsecurity.techtarget.com/definition/phishing

Have you noticed how many people get their Facebook accounts hacked? Well, this is one big reason why. It’s also very easy to pull off… and even easier to fix. I feel that people should at least be aware of what to look out for, so I’m posting this.

Currently Facebook structures links shared within Facebook like this:

<a href="https://www.facehook.org/test.php" target="_blank">Clickbait</a>

Solution:

<a href="https://www.facehook.org/test.php" target="_blank" rel="noreferrer noopener">Clickbait</a>

Adjusting their link structure to include only the extra rel=”noreferrer noopener” would totally kill this hack for the most part and make it more tricky for hackers to steal Facebook accounts. You can follow the proof of concept described below to see how this works, for yourself. I assure you that this is a safe example that I set up in order to demonstrate the vulnerability. There is nothing malicious included in the code. All it does is redirect your Facebook tab from another website. This is also not a vulnerability specific to Facebook, any website that excludes rel=”noreferrer noopener” from external hyperlinks is vulnerable.

Here is the full exchange I had with Facebook’s bug bounty representative. Please note that in my original disclosure, when I said “No” to the question about if this bug public or known by third parties, I was referring to Facehook, I misinterpreted the question. The target=”_blank” vulnerability is relatively well known already which is why it baffles me that Facebook had such a blasé response. I am disclosing this because there is a simple solution to this problem, which I would like Facebook to implement.

 

publicdisclosure

To try it, share this link on Facebook (set post privacy to”Only Me” if you don’t want anyone to see it). Once you have shared it, click the link in the Facebook post, then switch back to your Facebook tab.

Test link: https://www.facehook.org/test.php

This attack vector is extremely trivial, here is the full code for the exploit page:

<script>
$(document).ready(function () {
redirect();
});

function redirect() {
opener.location.href = 'https://www.facehook.org/';
setTimeout(function () {
window.location.href= 'https://www.facebook.com';
}, 250);
};
</script>

 

Really, Facebook? Adding 25 characters to your external target=”_blank” links is too much to ask? It would improve user experience, in my opinion.

TAG
RELATED POSTS

LEAVE A COMMENT