ClickJacking, You Know, Like Carjacking but with Clicks

posted by jangro on (3 years ago)

UPDATE 12:56 pm Feb 12, 2009: The "Don't Click" thing going on at Twitter this very minute is exactly the exploit described in this post. Original post follows...

I came across this interesting post last week, and thought I'd do a screencast of it.

I just find it fascinating what sneaky stuff people can do on the Interwebs, and by studying them, we become a little smarter, and a little less likely to fall victim to these tricks.

Plus I was looking for a good subject for a screencast.

Clickjacking is a technique where a web developer can trick you into clicking on something that you don't mean to click on. In this example, it tricks someone into updating their twitter account without their knowledge.

Check out the video (done with the totally amazing Screenflow software), and read up on it on James Podolsey's blog.

If you use firefox and want to block this sort of thing, grab the Noscript addon.


Twitter Clickjacking from Scott Jangro on Vimeo.


Comments & Reactions

  • jangro saved this to Twitter 3 years ago

  • Posted by Jeremy Palmer 3 years ago

    Pretty sneaky! I'm going to download noscript right now.

    reply

  • Posted by Shiner 3 years ago

    Nicely created article to highlight the problem.

    I'll be sending people to watch your video rather than explain until I'm blue in the face...

    I know you're on a 'mac', but I'd be interested in finding out what you created that video with...

    Many thanks,

    Chris

    reply

  • Posted by ChipGherghescu 3 years ago

    @quityourdayjob thanks for sharing this Jeremy, I got it on facebook, by the way I'm working on a testimonial for you. Cheers!

    reply

  • Posted by Jeremiah Grossman 3 years ago

    Cool explanation and thanks for spreading the word. The original http://jeremiahgrossman.blogspot.com/2008/10/clickjacking-web-pages-can-see-and-hear.html" target="_blank">clickjacking video demo that shows how to hijack someones webcam and mic. fun fun!

    reply

    Posted by Scott Jangro 3 years ago

    I didn't even know you did that Jeremiah, else I would have certainly given you credit for that. Thanks for the comment.

    reply

    Posted by Jeremiah Grossman 3 years ago

    Oh no problem. The message is more important than the messenger.

    reply

  • Posted by Daniel M. Clark 3 years ago

    Invisible iframes are definitely insidious, thanks for pointing this out. The screencast was good, quality-wise, so definitely keep them coming as you think of new topics.

    reply

    Posted by Scott Jangro 3 years ago

    Thanks Daniel!

    reply

  • Posted by Scott Jangro 3 years ago

    Chris, the software is called Screencast.

    reply

  • Posted by web_hosting_guy 3 years ago

    Cool post! very useful info!, i learn something new today!

    reply

  • Posted by Linda Buquet 3 years ago

    Thanks for bringing this up Scott.

    This article back in September on ZDnet is what scared me into using noscript

    http://blogs.zdnet.com/security/?p=1972" rel="nofollow">Clickjacking: Researchers raise alert for scary new cross-browser exploit

    By far the most nefarious use is to get your banking info.

    Back in Sept all the browser makers were working on fixes but I haven't checked lately to see if any had come up with solutions. I think I read Adobe came up with protection against Clickjacking for Flash.

    Noscript is a pain at 1st and hard to get used to because it blocks to much of what we do online like watching videos or anything java. But if you feel you are on a safe site you just have to go to options > temporarily allow all or allow only the component you need to use.

    Hope this helps and best of luck!

    reply

  • Posted by » ClickJacking - ideas for this sneaky hack (Twitter, etc) - By Steve Poland - web startup ideas and brainstorms, straight up! (formerly Techquila Shots) 3 years ago

    [...] “like carjacking, but with clicks.” Scott has a great post with a screencast that shows how ClickJacking works. Thanks to @esnagel for making me aware his [...]

    reply

  • Posted by Steve Poland 3 years ago

    It says the video no longer exists; is it somewhere else? Please repost.

    reply

  • Posted by Steve Poland 3 years ago

    OK, odd -- it is there now. I had to click the static permalink to it.

    reply

  • Posted by Scott Jangro 3 years ago

    Strange, it's there for me now. Vimeo glitch?

    reply

  • Posted by Mike Allen 3 years ago

    Great post and valuable information. Thank you for writing this. I downloaded the FF plugin you recommended.

    reply

  • Posted by Mark 3 years ago

    I think everyone needs to see this,so easily done. I wasn't that aware of it until now,thanks.

    http://paintersandddecoratorsinaberdeen.co.uk" target="_blank">Mark

    reply

  • Posted by Shiner 2 years, 3 months ago

    Nicely created article to highlight the problem.

    I'll be sending people to watch your video rather than explain until I'm blue in the face...

    I know you're on a 'mac', but I'd be interested in finding out what you created that video with...



    Many thanks,



    Chris

    reply

Leave a comment


Comment via Facebook

Listed Under

Reactions

Tags