Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Facebook clickjacking – is it detectable?
18 points by jl87 on Sept 14, 2015 | hide | past | favorite | 22 comments
I went to scammy clickbait website the other day and afterwards noticed that I "liked" them on Facebook.

After doing some research I released that I had been clickjacked, which is when a website hides a certain button underneath another button so that when I click one thing, for example a play now button, I'm actually also clicking another button, like a Facebok like.

My question is: can Facebook and/or Google punish sites for things like this?

Aside from it being sleezy, why doesn't other sites do this?




It's possible to detect whether an element is visible using window.getComputedStyle(). Why don't Facebook do this? Because it's slow. And measures like this can cause problems on the page. They want their button integration to be fast and low impact, so they would rather handle a couple of abusers (which they're quite good at) than inconvenience a large number of sites.


'Because it's slow' doesn't seem to make much sense to me. Couldn't they register the click then do the check, allowing them to have the best of both worlds?


It's JavaScript, so the client pays for it. If you're on an already slow browsers, you don't want to see it choke after you click on a button. So companies like Facebook ignore the problem on the client side, and solve it on the server side.


Couldn't an attacker override window.getComputedStyle() at runtime anyway?


Presumably Facebook would have CSP headers set on some of the scripts they load to prevent JavaScript on the page from interacting with their own scripts.


getComputedStyle() doesn't work across iframes.


The simplest way to avoid this (though it does require some guesswork on your part) is to always open those suspicious sites with incognito mode. If when you click the button it asks you to log into facebook (don't) you would have been clickjacked.


A simpler way is to have a seperate Chrome (or Firefox) profile for Facebook. I have an icon in my taskbar for Gmail and it simply opens up Chrome with that profile, which has Gmail set as homepage.

Not a perfect solution, but good first line of defense none-the-less.


Facebook will after a certain point put a captcha if they suspect clickjacking, and they do that incredible fast!

It is properbly a combination of user tracking and how many removes the like just after the see it on their own profile.


It won't happen if you aren't always logged in Facebook. Log out from Facebook after you used it...


>after you used it

You clearly have a different Facebook use-case than a lot of people.


I'm special... ;)


Can you give me an example site which has that. May be we can build a chrome app/extension for that.


Related question: is there a place in my Facebook profile where I can see everything I've liked?


Also, this shows all activity, in chronological order:

https://www.facebook.com/me/allactivity


https://www.facebook.com/me/likes should do


This talk describes what Facebook does to combat clickjacking: https://www.youtube.com/watch?v=0ih8TSXi3e4#t=12m29s

It's an interesting watch, and they probably stop a few people, but the description they give sounds very bypassable by seeding the links with a certain amount of "legit" clicks.

They pretty much punish websites that use clickjacking by forcing their users to validate the click with popups.


According to this http://stackoverflow.com/q/7328295/413180 there's no known way to prevent both Clickjacking and CSRF at the same time in a widget - unless you have an ugly popup asking the user to confirm the like.


Depending on the algorithm for "homepage news" on say Facebook. Having fake "likes" will result in your "news" being seen only by "fake" people or people that are not interested.


I once heard of an instance where the link redirected to a legit website for requests coming from Facebook's IP, and to a scam-type website from all other IPs.


opece.eu

This is an example of likejacking website. The text is in romanian and it's says it's donating an apartment via a contest if you fill that form.

The "Trimite" (Send) button is where the like jacking occurs.


installing extensions like NoScript, Privacy Badger, Ghostery might prevent the links from sneaking up




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: