ProfileJacking is a simple technology based on Clickjacking, or being more accurate, on Likejacking. The only difference is likejacking’s goal is to increase number of likes, profilejacking’s purpose is to reveal profile URLs of current visitors to send them personalized offers/messages.

The technique is neither innovative nor complex, I just had some code snippets and I want to open-source them.

Many companies have widgets and those widgets are not supposed to have X-Frame-Options header. For Linkedin it uses “Follow this company” widget (it takes random companies with <10 followers, plenty of them). For Facebook it uses “comments widget” and tricks user into liking a comment (unlike regular Like button it won’t be detected by anticlickjacking bots nor visible in user activity feed). Google Plus and Disqus profiles also can be detected. For Tumblr you can use “follow this blog” widget.

Twitter’s widgets always open a new window so there’s nothing we can do.

As soon as the victim clicks on the transparent widget, background process on the server side scrapes the last profile that followed our dummy user or liked our dummy comment, and passes the profile URL and first/last name to the client. The only disadvantadge is if you want to profilejack thousands of users, you need to create dozens of accounts and rotate them to not be banned.

Mar 10, 2015 • Egor Homakov (@homakov)

Subscribe to our blog via Twitter @SakurityNetwork, RSS or Email