ClickJacking, You Know, Like Carjacking but with Clicks

by Scott Jangro on 21 January 2009

UPDATE 12:56 pm Feb 12, 2009: The “Don’t Click” thing going on at Twitter this very minute is exactly the exploit described in this post. Original post follows…

I came across this interesting post last week, and thought I’d do a screencast of it.

I just find it fascinating what sneaky stuff people can do on the Interwebs, and by studying them, we become a little smarter, and a little less likely to fall victim to these tricks.

Plus I was looking for a good subject for a screencast.

Clickjacking is a technique where a web developer can trick you into clicking on something that you don’t mean to click on. In this example, it tricks someone into updating their twitter account without their knowledge.

Check out the video (done with the totally amazing Screenflow software), and read up on it on James Podolsey’s blog.

If you use firefox and want to block this sort of thing, grab the Noscript addon.


Twitter Clickjacking from Scott Jangro on Vimeo.

Tagged as: ,

  • really great post...nice informations..i like u man :)
  • Mark
    I think everyone needs to see this,so easily done.
    I wasn't that aware of it until now,thanks.

    Mark
  • Great post and valuable information. Thank you for writing this. I downloaded the FF plugin you recommended.
  • Thanks for bringing this up Scott.

    This article back in September on ZDnet is what scared me into using noscript

    Clickjacking: Researchers raise alert for scary new cross-browser exploit

    By far the most nefarious use is to get your banking info.

    Back in Sept all the browser makers were working on fixes but I haven't checked lately to see if any had come up with solutions. I think I read Adobe came up with protection against Clickjacking for Flash.

    Noscript is a pain at 1st and hard to get used to because it blocks to much of what we do online like watching videos or anything java. But if you feel you are on a safe site you just have to go to options > temporarily allow all or allow only the component you need to use.

    Hope this helps and best of luck!
  • Strange, it's there for me now. Vimeo glitch?
  • OK, odd -- it is there now. I had to click the static permalink to it.
  • It says the video no longer exists; is it somewhere else? Please repost.
  • Cool post! very useful info!, i learn something new today!
  • Chris, the software is called Screencast.
  • Invisible iframes are definitely insidious, thanks for pointing this out. The screencast was good, quality-wise, so definitely keep them coming as you think of new topics.
blog comments powered by Disqus