
Cursor:none abuse (trick users into clicking Facebook 'like') - jackshepherd
http://jack-shepherd.co.uk/experiments/Fake-Mouse-Cursor/
======
duopixel
A much more straightforward abuse would be pointer-events: none. Just position
an element over the 'like' button and let clicks pass through it:
<http://jsfiddle.net/rVxTn/>

~~~
jackshepherd
Wow - that is quite amazing. I wonder if that's in use in the wild yet.

Edit: It seems like this is a largely solved problem for Facebook:
[http://forum.developers.facebook.net/viewtopic.php?id=93201&...](http://forum.developers.facebook.net/viewtopic.php?id=93201&p=1)

Could definitely still be a problem for other social/ad/affiliate networks
though.

~~~
elisee
A similar click-jacking trick is used a lot for spreading videos like worms on
Facebook, at least in French. Videos with baiting titles like "How could she
do that?", "I can't believe she did this in front of everyone" and such.

Most people will click just to see what it might be and not miss out. Then the
video player says you have to click on some letters to prove you're not a
robot (clever trick, people don't think much of it because it reminds them of
CAPTCHAs)

The letters actually have Facebook Like button iframes on them with opacity
set to 0. I edited the opacity on one of them with the Chrome Dev tools:

<http://polyprograms.free.fr/tmp/FacebookLikeClickJacking.jpg>

Unknowningly liking the video will create a story in your friends' feeds, who
will in turn click to see and spread it to their friends. No real harm is done
except for the spam and all the ad views generated.

------
Zirro
It should be noted that the NoScript add-on for Firefox prevents this from
working through it's Clickjacking-protection (and possibly a couple of more,
cursor-specific tricks). People need to know that it does more than block
JavaScript.

~~~
joelhaasnoot
What website is useable these days though without Javascript?

~~~
Zirro
Few of the popular ones, but there may be some misconception here. NoScript
isn't meant to be blocking JavaScript for all sites. If you trust a site,
which doesn't function without JavaScript, adding it to the whitelist is one
click away. You get used to it quickly.

And, even in the mode where JavaScript is allowed by default on new sites, the
other protections (Clickjacking, XSS, ABE, etc) still apply.

~~~
moe
It's a little bit like the cookie-situation back when the internets were still
young.

Many people (including myself) would swear by leaving the cookie notification
on and confirming every. single. one. of. them.

That has long stopped being feasible and I assume it will be the same with
NoScript in a few years.

~~~
timmy-turner
Isn't this the fault of a bad UI mixed with bad defaults? I'm using the
Cookieculler FF addon (<https://addons.mozilla.org/en-
US/firefox/addon/cookieculler/>) to manage them. Instead of torturing me with
a modal popup for every new site I visit, it keeps a list of hosts and cookies
and trust status in the background. Using that list to protect important but
delete/block all other cookies is quite convenient.

------
epochwolf
Interesting. Chrome's "Under the Hood > Content Settings > Mouse Cursor"
setting doesn't affect this. I would have thought it would prevent this.

Also, stuff like this is why we can't have nice things in browsers. You can't
trust the internet.

~~~
ben0x539
Given what we've been seeing with attack sites, whether shock sites trying to
just DoS the browser or silly tricks like making the browser POST to an irc
server's irc port to spread the malicious URL, or just terrible ads and
tracking that actively slow down the browser and ruin the surfing experience,
I'm amazed that not more people see javascript as a built-in remote code
execution vulnerability that only gains more and more features over time,
sandbox or not. :)

Javascript makes a lot of cool stuff possible, but outside of some heavy-
weight web applications that I have to trust anyway like my webmail interface
or online storage manager, or games where the interactive components are the
only reason why I'm visiting the site to begin with, I'm starting to wonder
whether trusting the internet is not inviting more trouble than it's worth.

Maybe I'm "old-fashioned" but I'd love to go back to all the sites I visit
functioning with just static web content, no clientside scripting at all, and
letting me consume videos and stuff in a trusted media player plugin.

~~~
cs702
By default I have JavaScript blocked on all sites, allowing it only as needed,
case by case, because JavaScript _is_ a remote-code-execution vulnerability of
modern browsers.

More and more of the applications we use and our private data live in the
cloud. We now access our personal files, manage our bank and investment
accounts, and make retail purchases on our web browser.

Browsing the web with JavaScript enabled by default allows code written by
complete strangers to run on your browser!

~~~
driverdan
This shows a general lack of knowledge about how JS and websites work. I can't
just run JS on my site that will steal your bank info. Browsers have cross
domain security policies to prevent this.

There have been various vulnerabilities (especially in IE) but just like any
other software they get fixed.

~~~
cs702
driverdan -- by your logic, it would be OK to give perfect strangers remote-
shell access to one's computer, so long as one takes all the precautions
necessary to protect sensitive files and prevent them from gaining root
access.

Leave aside the various vulnerabilities (including cross-site-scripting ones!)
that get discovered with disturbing frequency, and please consider the subject
of this thread: it's possible to make someone click a "Like" button without
their realizing it! How many other similar tricks can JavaScript be used for
by people with nefarious intentions?

No matter how "safe" any runtime environment is, allowing strangers to execute
arbitrary code on your computer is never a great idea.

This is why I allow JavaScript code to run on my browser only when it comes
from sources I trust.

------
chc
For everyone talking about JavaScript: As far as I can tell, this is
fundamentally a CSS vulnerability. Something quite similar ought to be
possible without JavaScript — it would just be a bit less elegant. For
example, you could just make a pixel grid of divs to simulate mousemove events
and position the fake cursor with CSS hover styles.

~~~
jonny_eh
Sounds plausible (and I'd love to see an example!), but would hardly be worth
the effort if JS would catch 99% of the victims.

------
RandallBrown
I love it. It seems to work fine in Firefox, although the real cursor starts
flashing when it's above the Like button.

~~~
jackshepherd
That's because there's a transparant DIV above the Facebook iFrame, cycling
on/off every few milliseconds. This is required to maintain the fake cursor's
position (without it when the real cursor was over the iFrame the 'fake'
cursor would stop moving).

------
pnewhook
This is brilliant, but now it's only a matter of time until it's in actual
use. Sort of like how evercookie was a clever hack meant to call attention to
privacy concerns, then was put into actual production sites.

~~~
Zirro
Do you have any examples of sites/companies that put the techniques into use
as a direct result of Evercookie exposing them?

EDIT: Why am I being downvoted for this question? I am seriously interested,
so that I can avoid contact with them.

~~~
jackshepherd
I'm not sure if you can say that it's a direct result of Evercookie, but a
number of high profile sites use this kind of tech - for example
KissMetrics.com is used by a number of big companies, and they use ETAG
cookies, Flash cookies - the lot.

~~~
hornbaker
And KissMetrics and their customers caught heat from it:
[http://www.extremetech.com/internet/91966-aol-spotify-
gigaom...](http://www.extremetech.com/internet/91966-aol-spotify-gigaom-etsy-
kissmetrics-sued-over-undeletable-tracking-cookies)

------
superchink
Odd effect. I see two mouse cursors (Mac OS X 10.7.3 + Chrome Dev Channel).

~~~
rplnt
Same in Opera. I'd say it's not supported as it is quite malicious. Another
example that comes to mind is changing the content of clipboard when users
copies something. [http://en.wikipedia.org/wiki/DOM_events#Microsoft-
specific_e...](http://en.wikipedia.org/wiki/DOM_events#Microsoft-
specific_events)

------
EmmanuelOga
Speaking about prevention (for the specific case of the like button), I have
privoxy (1) setup to disable fb plugins with rules like these:

{+block{Facebook "like" and similar tracking URLs.}}
www.facebook.com/(extern|plugins)/(login_status|like(box)?|activity|fan)\\.php

{+block{Stupid facebook xd_proxy.php.}}
<http://static.ak.fbcdn.net/connect/xd_proxy.php.*>

The second one also removes an annoyance I see from time to time when I bypass
the proxy which makes the page request again and again that xd_proxy.php file.

If I really want to like something, I disable the proxy and reload the page. I
use Proxy SwitchySharp (2) for chrome to do the setup for me in pages I visit
often.

1: <http://www.privoxy.org/> 2:
[https://chrome.google.com/webstore/detail/dpplabbmogkhghncfb...](https://chrome.google.com/webstore/detail/dpplabbmogkhghncfbfdeeokoefdjegm)

------
mkopinsky
I tried clicking "Fork me on github" but couldn't because I couldn't position
the real mouse pointer in the right place.

------
jusob
I guess I should use this as an opportunity to remind people of the "Zscaler
Likejacking Prevention" plugin for Firefox/Chrome/Safari/Opera (check the
corresponding add-on stores). I use the setting "Request confirmation for all
Facebook widgets" so that it asked me for confirmation before sending the Like
request.

------
ck2
Good luck faking my inverted extra large windows cursor.

~~~
chrisacky
And I browse without JavaScript, so the CSS style that hid the cursor actually
meant I didn't see any cursor whatsoever.

~~~
SquareWheel
Out of curiosity, aren't 90% of websites broken for you?

~~~
chrisacky
Yes and no. While I browse with JavaScript disabled, I have whitelist. Chrome
v8 has a feature which allows you to prevent execution of scripts from a
particular domain.

I've blacklisted all ad networks from executing and JavaScript but I maintain
a strict whitelist which means that sites such as Facebook, Google, and any
site which I browse and immediately see is broken is added to my whitelist.

When I browse a page, I can have conditional execution of the JS code, meaning
that JS from 3 domains will run, but the 9 tracking JS code from all the ad
networks won't run.

It's like the best of all worlds. Adnetworks can't fingerprint me, and they
have to rely on cookies, plus my browsing is a hell of a lot faster because I
don't have all the unneccessary JS downloading and running.

~~~
SquareWheel
I see, thanks for the great explanation.

I admit the thought that some users aren't using JS concerns me because, while
I try and always build sites with a fallback, it generally results in a lesser
experience. Often fallbacks just aren't possible so I need to remove the
feature altogether.

I bet there's a lot of sites that still work for you, but not quite as well as
if JS were enabled.

~~~
chrisacky
Don't worry about users like me.

Make your content load, but anything above that, users are on their own if
they decide not to enable JavaScript.

In this age, with all of the rich user applications, JS is practically a
requirement.

For my startup, the frontend gracefully fallbacks to a working version for
users.

For the backend, they get a blackscreen saying JS is required. If users are
going to use my application, they should expect to have JS enabled for the
best possible user experience.

Don't worry about it is the upshot!

------
TheMiddleMan
I forked this to use a different exploit which takes advantage of pointer-
events: none.

<https://github.com/Rob-ot/Fake-Mouse-Cursor>

------
smackfu
Cursor:none makes it cleaner, but it's not necessary. You could use a lighter
cursor like cursor:crosshair or cursor:text along with the fake cursor, and I
bet most people will still click using the fake one.

In fact, even if you can't change the cursor at all, you could easily create a
swarm of fake cursors that would frustrate the hell out of the user.

------
justindocanto
I have some input on your todo list:

If you give an id (or class) to your p tag that contains the links you said
you wanted to make easier to click, then you could use css and easily add a
:hover state. Then on the hover state just make the cursor normal so it's
easier to click those links. Upon mouseout the cursor will go back to
'normal'. =)

~~~
jackshepherd
Thanks for that :) I was thinking of perhaps creating an invisible target for
them with the same offset as the FB like/button, so that they could be clicked
with the 'fake' cursor to enhance the effect!

------
cocoflunchy
I don't think I'm getting the desired result... my cursor disappears, and I
all I see is a static one in the top left corner above a cropped "Like" button
(in french though, that may be the problem). See here :
<http://imageshack.us/f/836/28545472.jpg/>

------
natmaster
In Firefox, the cursor flashes above the like button. Still easy to miss, but
certainly not bad as it seems Chrome is.

~~~
sikmajnd
and not to mention the lag when going over "clicky" button in ff

------
drucken
I have NoScript 2.3.1 in Firefox with the default settings, including
Clearclick protection. I have no Facebook account and no scripting is enabled
for this site, including JQuery.

The site is still able to disable my mouse over most of the screen.

Am I the only one?

------
Maro
I use Ghostery to wipe out Facebook showing up elsewhere on the Internet.

<http://www.ghostery.com>

~~~
dybber
Alternative using Adblock: <http://adversity.uk.to/>

------
downandout
Is this news? Likejacking has been around for well over a year. Google it.

------
AznHisoka
Nice, can I use this to trick people into clicking an affiliate link instead?

