Hacker News new | past | comments | ask | show | jobs | submit login

+1 simonw, for reference, I helped build the "twitter buttons". As simonw mentioned, any amount control/access a widget may have to a hosted page can be immediately blocked by just wrapping the entire thing in another iframe.

this post is a bit misleading in that it might suggest that the attack occurs "sans click". this particular attack minimizes the ability for the victim to notice the attack, but it is still using the same 'hide the button, make it follow your mouse, wait for a click' strategy.

As darklajid pointed out, we try to occupy as little space, and cause as little annoyance as we quietly sit in client pages.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact