Facebook no #XFO lead to ClickJacking Attack

What is ClickJacking?

“Clickjacking” is a malicious technique that consists of deceiving a web user into interact (in most cases by clicking) on something different to what the user believes he is interacting on. This type of attack, that can be used alone or in combination with other attacks, could potentially send unauthorized commands or reveal confidential information while the victim is interacting on seemingly harmless web pages.

One day, I was hunting for the bugs on Facebook and observed that facebook’s login page “https://m.facebook.com” was vulnerable for clickjacking. Why because the page does not contains the “X-Frame-Options” header.

Mostly the companies are not accepting the clickjacking vulnerability, If the impact is not high. In my case the vulnerable page was login page. So, How can I make this as more impactful?

After doing some research I came across to make an undetectable phishing page with the help of this vulnerability. I have created HTML page with same text-box and button which the original facebook login page have.

As in above image you can see the transparent layer of HTML page which only have the text-box and button. Now when a victim user will insert his/her credentials then the page will redirect to main login page of Facebook and attacker will got the credentials of the victim user.

Facebook have fixed this vulnerability in couple of minutes and the Bounty was awarded for this issue.