Microsoft Vulnerability Research Advisory MSVR11-007

Clickjacking Vulnerability in Could Allow Account Compromise

Published: July 19, 2011 | Updated: July 19, 2011

Version: 1.1


Executive Summary

Microsoft is providing notification of the discovery and remediation of a vulnerability affecting the popular social networking site, Microsoft discovered and disclosed the vulnerability under coordinated vulnerability disclosure to the affected vendor, Facebook Inc. Facebook Inc. has remediated the vulnerability in

A vulnerability exists in the way that had previously implemented protection against clickjacking attacks. An attacker could exploit this vulnerability to circumvent Facebook privacy settings and expose potentially sensitive user information. An attacker who successfully exploited this vulnerability could take complete control of a user’s account and could perform any action on behalf of the user, such as read potentially sensitive data, change data, and delete contacts.

Microsoft Vulnerability Research reported this issue to and coordinated with Facebook to ensure remediation of this issue. For more information from Facebook, see Facebook Security.

Mitigating Factors

  • The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, an attacker must convince a user to click on specially crafted Facebook content.

Advisory Details

Purpose and Recommendation

Purpose of Advisory: To notify users of a vulnerability and its remediation.

Advisory Status: Advisory published.

Recommendation: Review the Suggested Actions section and configure as appropriate.

Issue References

For more information about this issue, see the following references:

Common Vulnerabilities and Exposures None*

*This type of vulnerability is not tracked on the CVE List.

Affected and Non-Affected Software

This advisory discusses a vulnerability in that has been remediated on No specific end-user software is affected.

What is the scope of this advisory? 
This advisory is part of a coordinated release with affected vendors to inform customers of a security issue that may affect them.

Is this a security vulnerability that requires Microsoft to issue a security update? 
No. The vulnerability has been fixed on the systems of the third-party vendor. The vulnerability only affects the vendor's services to end users, and does not directly affect end-user systems.

What is the scope of the vulnerability? 
This is a variation of a clickjacking vulnerability. Users who are affected by this issue could have had their accounts completely compromised giving an attacker full access to read, modify or delete the user's profile content.

What is clickjacking?
Clickjacking is a technique used by an attacker to place a transparent layer on a legitimate site in order to capture a user's clicks. Thus, the attacker is hijacking clicks meant for the legitimate page and routing this user interaction to other another page that is most likely owned by another application, domain, or both. For more information, see the article, Clickjacking, at The Open Web Application Security Project.

What causes the vulnerability? 
The vulnerability exists in the way that implemented protection against common clickjacking techniques.

What might an attacker use this vulnerability to do? 
An attacker who successfully exploited this vulnerability could gather Facebook users' personal details, change personal details, read private or sensitive messages, send messages on behalf of the user, and otherwise perform any other available functions on behalf of the user. This vulnerability does not directly lead to compromise of servers or end-user systems being used to access

When this advisory was issued, had this vulnerability been publicly disclosed? 
No. Microsoft reported this vulnerability to the affected third-party vendor through coordinated vulnerability disclosure.

When this advisory was issued, had Microsoft received any reports that this vulnerability was being exploited? 
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this advisory was originally issued.

Users do not need to take any corrective action on their systems as the vulnerability has been remediated on servers. However, users should review all personal information being shared on all social networking sites to insure that, despite the privacy controls offered by these sites, such personal information is not of a sensitive or confidential nature.


Microsoft thanks the following:

  • Jesse Ou and Richard Lundeen of Microsoft for discovering this issue and the team at Facebook for working toward a resolution.


The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • V1.0 (July 19, 2011): Advisory published.
  • V1.1 (July 19, 2011): Added FAQ entries about disclosure and exploitation of this issue.

Built at 2014-04-18T13:49:36Z-07:00