How does it work?
The game works by exploiting a security flaw called Clickjacking, which allows a malicious site to redirect clicks to another website to perform actions on behalf of the user, without their consent.
In this game, in the locations where mines would be, are actually hidden Facebook like buttons embedded in the page. When you click them, it will cause your Facebook account to like the link it is pointed at. For example:
A partially completed game of Social Minefield, but with the Facebook Like buttons visible.
As you can see, the suspiciously shaped tiles of this minesweeper game hide a secret. Let's take a closer look into the world of Clickjacking attacks.
The Clickjacking attack
In the security world, Clickjacking is a forgotten cousin when compared to other high-profile exploits such as SQL Injection or Cross Site Scripting (XSS). However, if a site is vulnerable to it, there still can be bad consequences for users.
Here's a fictional, interactive demonstration of how Clickjacking attacks work:
ShopFast
Shonky Hammer
Shonky Steve PTY LTD
$100.00
It sucks!!!
★☆☆☆☆ 1 starBarely works!!!
★☆☆☆☆ 1 starHow do I refund??
★★★★★ 5 starsItem is great but got lost!!!
★★☆☆☆ 2 starsDelivered quickly
★★★★★ 5 starsWelcome to ShopFast!
Australia's leading eCommerce website.
This fictional site lets you purchase goods from sellers across the world, with just one click.
Pressing the '1-click buy' button will automatically debit the money from your account, and send the purchased item to your address.
Try clicking it! To make it easier to understand how the demo works, we'll make a pop-up appear when you click it.
Congratulations, Shonky Steve, you are now the proud
owner of youhavewonafreecar.com
!
Please edit your new website, and enjoy!
The Heist Begins
Shonky Steve wishes to get more people to buy his shoddy items, but he's noticed the bad reviews have started to deter people.
Instead, he decides to set up a website to trick people into buying them.
He purchases YouHaveWonAFreeCar.com
and begins
his master plan.
ShopFast
Shonky Hammer
Shonky Steve PTY LTD
$100.00
It sucks!!!
★☆☆☆☆ 1 starBarely works!!!
★☆☆☆☆ 1 starHow do I refund??
★★★★★ 5 starsItem is great but got lost!!!
★★☆☆☆ 2 starsDelivered quickly
★★★★★ 5 starsInception
First, he embeds the ShopFast website inside his, in a nested window.
Notice how identical it can be with the original site, however note that the URL that shows up in the "browser" is Shonky's, not ShopFast's URL.
Web browsers by default will allow this to happen, and the embedded website will usually act as normal. If you are logged in, you will also appear so in the embedded site.
Interacting with the embedded site works as normal. You can even press buy!
ShopFast
Shonky Hammer
Shonky Steve PTY LTD
$100.00
It sucks!!!
★☆☆☆☆ 1 starBarely works!!!
★☆☆☆☆ 1 starHow do I refund??
★★★★★ 5 starsItem is great but got lost!!!
★★☆☆☆ 2 starsDelivered quickly
★★★★★ 5 starsCovering things up
Steve will intentionally set up his website to trick people to click buy on his item.
First, he covers up everything but the buy button with elements so that people don't accidentally interact with the site in other ways (clicking logging out, for example).
Adjust the transparency of Steve's overlay to see how it works:
ShopFast
Shonky Hammer
Shonky Steve PTY LTD
$100.00
It sucks!!!
★☆☆☆☆ 1 starBarely works!!!
★☆☆☆☆ 1 starHow do I refund??
★★★★★ 5 starsItem is great but got lost!!!
★★☆☆☆ 2 starsDelivered quickly
★★★★★ 5 starsFree Cars!
Finally, Steve adds some content to his site that's enticing enough to get people to click.
The "Enter giveaway" button doesn't do anything. Instead, it's intentionally set up to ignore clicks.
When you click it, you will actually be clicking the Buy Now button underneath, even though it's not visible!
Unfortunately for the person claiming their "prize", they'll only receive a shonky hammer and feel a little lighter in the pocket, too.
Extra credit
And with that, we've demonstrated how a Clickjacking attack works. A malicious website can embed another website, and be designed to trick visitors to perform unintended actions.
It's not just limited to single clicks! You can chain multiple clicks together to perform more complex actions.
Consider a cloud storage website, where there's a confirmation to delete a file. How would you design a site to trick people to click in two locations?
Gobble Cloud
Files
Filename | Uploaded | Actions |
---|---|---|
work.pdf | March 16 | |
crimes.docx | Feb 30 | |
fanfic.rtf | Jan 1 | |
memes.tiff | Jan 2 |
How do I know if a site is vulnerable?
I've written a tool to easily check whether a site is vulnerable to Clickjacking. A site is vulnerable when the developer responsible for hosting it has not included a setting on their website that will reject attempts at embedding it on other websites.
What these field values specify is whether another website is allowed to embed this website in their site. If it's not allowed, then your web browser (Chrome, Firefox, Safari, etc) will refuse to embed it if it's tried, thus thwarting the attack.
As an example, here's what it looks like when your browser attempts to load a website that isn't allowed to be embedded (in this case, Google).
Some sites may intentionally want to allow being embedded in other sites, such as the Facebook "Like" button. It's used to allow websites (such as news sites) to let users "like" a page, making sure the article gets more attention. Facebook uses the Like button to discreetly track users across the web. They're embedded across 7.5 million websites - that's quite a spy network!
I'm a developer, how do I fix my site?
I've written a guide here.
How to eradicate this vulnerability?
The crux of the problem is that it's allowed by default. If instead it was changed to disallowed by default, and only allow same-origin embeds (i.e. the site can embed itself), this problem wouldn't occur nearly as often.
That's it. Change the default behaviour to instead require opting-in into allowing embeds. Whilst this may break some existing sites, it would one line of configuration change to allow where it's needed.
If the site is unable to be updated (perhaps it's fallen out of maintenance), it's possible to use browser extensions to override the settings, and enable it again.
There are a lot of websites out there that are not created by elite teams of developers, with a security team backing them to detect these problems. Instead, there's many apps out there, made by junior developers, or farmed out to the lowest bidder. It is generally a Good Idea to defend against ignorance.
How do I protect myself?
Unfortunately, it's up to the website creators to fix their website to make their users not vulnerable to Clickjacking attacks for that site.
However, if you wish to fix this specific attack against Facebook likes, you can install some software which has built-in protections against trackers and ads, which thwart this method.
I personally recommend:
- Firefox or Safari (iOS/Mac) browsers.
- These both have great built-in protections for both safety and privacy.
- Unfortunately Google Chrome does not (and probably won't ever) have privacy protections from trackers, as their business is built around tracking user-information and selling ads.
- Privacy Badger - A browser extension that intelligently blocks trackers.
- uBlock Origin - The best ad blocker in existence.
Acknowledgements
Some resources were used in the supporting material.
- Squiggly arrow from Wannapik
- Shopfast logo, broken hammer, cool car images by Dall-E 3.
- Under construction logo from textfiles.
- Cool text generator from cooltext.com.
- Favicon generated from Twemoji.
If you're curious, the code for all this is free and open-source on GitHub, here. Or, just view source on this page. 🙃