-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, it is possible to load "https://www.facebook.com/login/reauth.php?next=https://www.facebook.com/confirmphone.php&display=popup"; in another page. See here: // Clickjacking test only http://darksecurity.de/fb-clickjack/ClickJacking-iFrame.html Here is a PoC for the login site: (I've used http://code.google.com/p/javascript-keylogger/) // Clickjacking PoC (Login without logged in user) http://darksecurity.de/flv/Facebook-PoC-Clickjacking.flv Some more information: // Login with logged in user http://darksecurity.de/fb-clickjack/facebook.com-Clickjacking-AuthUser.JPG // Login without logged in user http://darksecurity.de/fb-clickjack/facebook.com-Clickjacking-NoAuthUser.JPG // No X-Frame-Options on https://www.facebook.com/login/reauth.php?next=https://www.facebook.com/confirmphone.php&display=popup http://darksecurity.de/fb-clickjack/WebScarab-NO-X-Frame-Options.JPG // X-Frame-Options on Facebook.com http://darksecurity.de/fb-clickjack/WebScarab-X-Frame-Options.JPG My question: is this really not a security problem on Facebook? Kind regards, Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlKo1oUACgkQg3svV2LcbMAgzQCdEWhF98a8mPBvFhEsWJoWz14d GdQAn3ryEc0z0TNI8FehRDOe0PMHPk0t =Jf23 -----END PGP SIGNATURE-----
Attachment:
0x62DC6CC0.asc
Description: application/pgp-keys
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/