folder Filed in PoC Gallery, Write Ups
Facebook ClickJacking - How we put a new dress on Facebook UI
Mohamed A. Baset comment 2 Comments access_time 2 min read

Hi Bug Hunters,

Today we will explain how we redressed facebook ui and made it so easy to fool a victim to for example, Add the attacker as a member in one of his own secret groups on facebook.

Here’s some details about the issue:

Vulnerability Type:


The vulnerable url:


1. 559357440894888 is the targeted resource (group)
2. 100000152886101 is the targeted user who owns the resource, (Just a parameter value sent along with the first GET request to be included in the form action to successfully complete the request)

The problem:
When this endpoint (/ajax/home/generic.php) calling an client side facebook path (path=) related to a facebook resource (pages, groups, etc..) this resource lacks the “X-Frame-Options” and became iframable. The fact is that all the actions inside the iframable response are depending on another resource that has not been loaded to complete the AJAXed requests to be made but LUCKILY we found that the iframable resource contains some “Forms” that are able to be submitted by the victim.

The PoC Impact:
Fooling a victim to add a specific user to a targeted secret group or even any other resource!!

PoC Code (In case you need it):
<div style=”overflow: hidden; width: 145px; height: 28px; position: relative;” >
<iframe src=”URL” style=”border: 0pt none ; left: -7px; top: -807px; position: absolute; width: 1406px; height: 1321px;” scrolling=”no”></iframe></div></br>

PoC Video:

Building a website? Or already built a one? Think twice before going public and let us protect your business!

Bug ClickJacking Facebook Security UI UI Redressing

Leave a Reply

Your email address will not be published. Required fields are marked *

Cancel Post Comment

Translate this blog