Ask HN: Facebook clickjacking – is it detectable?
22 comments
It's possible to detect whether an element is visible using window.getComputedStyle(). Why don't Facebook do this? Because it's slow. And measures like this can cause problems on the page. They want their button integration to be fast and low impact, so they would rather handle a couple of abusers (which they're quite good at) than inconvenience a large number of sites.
getComputedStyle() doesn't work across iframes.
Couldn't an attacker override window.getComputedStyle() at runtime anyway?
Presumably Facebook would have CSP headers set on some of the scripts they load to prevent JavaScript on the page from interacting with their own scripts.
'Because it's slow' doesn't seem to make much sense to me. Couldn't they register the click then do the check, allowing them to have the best of both worlds?
It's JavaScript, so the client pays for it. If you're on an already slow browsers, you don't want to see it choke after you click on a button. So companies like Facebook ignore the problem on the client side, and solve it on the server side.
The simplest way to avoid this (though it does require some guesswork on your part) is to always open those suspicious sites with incognito mode. If when you click the button it asks you to log into facebook (don't) you would have been clickjacked.
A simpler way is to have a seperate Chrome (or Firefox) profile for Facebook. I have an icon in my taskbar for Gmail and it simply opens up Chrome with that profile, which has Gmail set as homepage.
Not a perfect solution, but good first line of defense none-the-less.
Not a perfect solution, but good first line of defense none-the-less.
Facebook will after a certain point put a captcha if they suspect clickjacking, and they do that incredible fast!
It is properbly a combination of user tracking and how many removes the like just after the see it on their own profile.
It is properbly a combination of user tracking and how many removes the like just after the see it on their own profile.
Can you give me an example site which has that. May be we can build a chrome app/extension for that.
Related question: is there a place in my Facebook profile where I can see everything I've liked?
https://www.facebook.com/me/likes should do
Also, this shows all activity, in chronological order:
https://www.facebook.com/me/allactivity
https://www.facebook.com/me/allactivity
This talk describes what Facebook does to combat clickjacking: https://www.youtube.com/watch?v=0ih8TSXi3e4#t=12m29s
It's an interesting watch, and they probably stop a few people, but the description they give sounds very bypassable by seeding the links with a certain amount of "legit" clicks.
They pretty much punish websites that use clickjacking by forcing their users to validate the click with popups.
It's an interesting watch, and they probably stop a few people, but the description they give sounds very bypassable by seeding the links with a certain amount of "legit" clicks.
They pretty much punish websites that use clickjacking by forcing their users to validate the click with popups.
According to this http://stackoverflow.com/q/7328295/413180 there's no known way to prevent both Clickjacking and CSRF at the same time in a widget - unless you have an ugly popup asking the user to confirm the like.
Depending on the algorithm for "homepage news" on say Facebook. Having fake "likes" will result in your "news" being seen only by "fake" people or people that are not interested.
I once heard of an instance where the link redirected to a legit website for requests coming from Facebook's IP, and to a scam-type website from all other IPs.
opece.eu
This is an example of likejacking website. The text is in romanian and it's says it's donating an apartment via a contest if you fill that form.
The "Trimite" (Send) button is where the like jacking occurs.
This is an example of likejacking website. The text is in romanian and it's says it's donating an apartment via a contest if you fill that form.
The "Trimite" (Send) button is where the like jacking occurs.
installing extensions like NoScript, Privacy Badger, Ghostery might prevent the links from sneaking up
After doing some research I released that I had been clickjacked, which is when a website hides a certain button underneath another button so that when I click one thing, for example a play now button, I'm actually also clicking another button, like a Facebok like.
My question is: can Facebook and/or Google punish sites for things like this?
Aside from it being sleezy, why doesn't other sites do this?