Hacker News new | past | comments | ask | show | jobs | submit login

There isn't a way of protecting against this attack, unless these buttons can't be embedded in web pages.

Well, that, or use Flash.




@taze There is a way. It's called noscript. Does a terrific job of staying on top of issues like this.

Also because of this example I went one step further and used AdBlock to block any iframe with a facebook url.

@general The facebook button (at least in firefox) doesn't change to the hand icon when hovering over the link. So, fail. I wouldn't click a link where the cursor didn't change. Mostly, because when it doesn't change I immediately become suspicious.


As someone who's lazy with AdBlock (subscribe, forget): Can you share that rule?


Hey. Sorry for a majorly delayed response. Looks like I have two rules for this. They might be able to be optimized into one, but - I'm lazy too.

  com##IFRAME[src^="http://www.facebook.com/]

  ##IFRAME[src*="facebook.com"]

edit: Note - you need the 'Element Hiding Helper' that goes with Adblock Plus to do this. Then you can just use that to select the iframe on a site and add the rule through a nicer interface.


I meant what Facebook could do, not you personally.


Using flash will only work if you can control what window mode the embed is set to. If wmode is set to opaque or transparent compositing will be up to the browser.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: