
Ask HN: Facebook clickjacking – is it detectable? - jl87
I went to scammy clickbait website the other day and afterwards noticed that I &quot;liked&quot; them on Facebook.<p>After doing some research I released that I had been clickjacked, which is when a website hides a certain button underneath another button so that when I click one thing, for example a play now button, I&#x27;m actually also clicking another button, like a Facebok like.<p>My question is: can Facebook and&#x2F;or Google punish sites for things like this?<p>Aside from it being sleezy, why doesn&#x27;t other sites do this?
======
socket0
It's possible to detect whether an element is visible using
window.getComputedStyle(). Why don't Facebook do this? Because it's slow. And
measures like this can cause problems on the page. They want their button
integration to be fast and low impact, so they would rather handle a couple of
abusers (which they're quite good at) than inconvenience a large number of
sites.

~~~
mattmanser
'Because it's slow' doesn't seem to make much sense to me. Couldn't they
register the click then do the check, allowing them to have the best of both
worlds?

~~~
socket0
It's JavaScript, so the client pays for it. If you're on an already slow
browsers, you don't want to see it choke after you click on a button. So
companies like Facebook ignore the problem on the client side, and solve it on
the server side.

------
jbombadil
The simplest way to avoid this (though it does require some guesswork on your
part) is to always open those suspicious sites with incognito mode. If when
you click the button it asks you to log into facebook (don't) you would have
been clickjacked.

~~~
madawan
A simpler way is to have a seperate Chrome (or Firefox) profile for Facebook.
I have an icon in my taskbar for Gmail and it simply opens up Chrome with that
profile, which has Gmail set as homepage.

Not a perfect solution, but good first line of defense none-the-less.

------
kevinsimper
Facebook will after a certain point put a captcha if they suspect
clickjacking, and they do that incredible fast!

It is properbly a combination of user tracking and how many removes the like
just after the see it on their own profile.

------
picibucor
It won't happen if you aren't always logged in Facebook. Log out from Facebook
after you used it...

~~~
7Z7
>after you used it

You clearly have a different Facebook use-case than a lot of people.

~~~
picibucor
I'm special... ;)

------
itsbits
Can you give me an example site which has that. May be we can build a chrome
app/extension for that.

------
monochromatic
Related question: is there a place in my Facebook profile where I can see
everything I've liked?

~~~
smackfu
Also, this shows all activity, in chronological order:

[https://www.facebook.com/me/allactivity](https://www.facebook.com/me/allactivity)

------
Eridrus
This talk describes what Facebook does to combat clickjacking:
[https://www.youtube.com/watch?v=0ih8TSXi3e4#t=12m29s](https://www.youtube.com/watch?v=0ih8TSXi3e4#t=12m29s)

It's an interesting watch, and they probably stop a few people, but the
description they give sounds very bypassable by seeding the links with a
certain amount of "legit" clicks.

They pretty much punish websites that use clickjacking by forcing their users
to validate the click with popups.

------
timewarp256
According to this
[http://stackoverflow.com/q/7328295/413180](http://stackoverflow.com/q/7328295/413180)
there's no known way to prevent both Clickjacking and CSRF at the same time in
a widget - unless you have an ugly popup asking the user to confirm the like.

------
z3t4
Depending on the algorithm for "homepage news" on say Facebook. Having fake
"likes" will result in your "news" being seen only by "fake" people or people
that are not interested.

------
dacohenii
I once heard of an instance where the link redirected to a legit website for
requests coming from Facebook's IP, and to a scam-type website from all other
IPs.

------
cosmeen
opece.eu

This is an example of likejacking website. The text is in romanian and it's
says it's donating an apartment via a contest if you fill that form.

The "Trimite" (Send) button is where the like jacking occurs.

------
ljk
installing extensions like NoScript, Privacy Badger, Ghostery might prevent
the links from sneaking up

