Clickjacking

By  on  

JavaScript security is a big business and for all of the right reasons.  JavaScript lets us do incredible things on the front end but some of those incredible things are for eval evil.  Spyjax used to be one of those evil things but browsers seem to have figured that out.  One technique I've seen lately is clickjacking -- presenting a link as one URL but then changing the URL quickly to trick the user.  Let me show you what I've seen.

When visiting CNBC, I would occasionally command+click a link to a post to open it in a new window, but Google Chrome would refuse via the popup blocker.  That confused me -- I'm triggering a "native" action, why is the popup blocker hassling me?  Because CNBC was being gangsta:

<a href="/some-url" onmousedown="this.href='/some-other-url';">Misleading Link Title</a>

The href was set to one URL but JavaScript dynamically changed the href to the "bad" address upon mousedown, thus changing the destination before the use knew it.  This is an incredibly shady practice with only one possible purpose: gaming the user and possibly even search engines.

It's impressive that Chrome detected CNBC's technique and blocked the click. Clickjacking could become a serious issue and I've lost a lot of trust in CNBC.  If you're participating in this practice, it may be best to stop -- the browsers are on to you.

Recent Features

  • By
    Responsive and Infinitely Scalable JS Animations

    Back in late 2012 it was not easy to find open source projects using requestAnimationFrame() - this is the hook that allows Javascript code to synchronize with a web browser's native paint loop. Animations using this method can run at 60 fps and deliver fantastic...

  • By
    fetch API

    One of the worst kept secrets about AJAX on the web is that the underlying API for it, XMLHttpRequest, wasn't really made for what we've been using it for.  We've done well to create elegant APIs around XHR but we know we can do better.  Our effort to...

Incredible Demos

  • By
    Six Degrees of Kevin Bacon Using MooTools 1.2

    As you can probably tell, I try to mix some fun in with my MooTools madness but I also try to make my examples as practical as possible. Well...this may not be one of those times. I love movies and useless movie trivia so naturally I'm...

  • By
    Face Detection with jQuery

    I've always been intrigued by recognition software because I cannot imagine the logic that goes into all of the algorithms. Whether it's voice, face, or other types of detection, people look and sound so different, pictures are shot differently, and from different angles, I...

Discussion

  1. Couldn’t agree more Dave, there are numerous other “methods” if the site owner wanted to utilise some form of redirect – this is insidious at best! One wonders what it would do to the ranking of a page once Google starts investigating the validity of these “links” – even CNBC might not be safe from some finger wagging by the Search Engines…

  2. MzJS

    Well, Google does this on the search results themselves, so does that count? It is especially annoying if you want to copy a search result via “copy link address” or similar. Same for OneDrive.

  3. Matt

    It seems even more shocking that you had any trust in CNBC. Not surprised.

    • “more shocking”…”not surprised”….I’m lost on what you’re trying to say.

    • Eliseu

      lol

  4. I’ve not seen it knowingly done by a site owner. But I have been spending the past few nights rebuilding my Dad’s Windows PC, remotely because it was riddled with Adware and Malware which was Clickjacking links all over the place.
    Even going to Microsoft OneDrive to install it to back his documents up was an ordeal. 75% of the time the link to “download” got clickjacked, and sent me off to a half convincing looking facsimile of the OneDrive download site.
    This happened to almost any “call to action” on any site, and was affecting Chrome and IE (his PC was so slow, I had no patience to download any other browsers for testing)

    It’s a worrying thing, that I hope browser vendors have a plan for, as my Dad was falling for them every time.

  5. MaxArt

    Sneaky scoundrels! o_O
    And this is from CNBC, not some wAre2 site… Oh, come on! D:
    I wonder if Chrome would be able to catch it if the action was done on mouseover rather than mousedown.

  6. Fredrik

    It is really annoying that so many sites requires JS to work. I can understand that it would be nice to have some JS to enable slideshows or whatever, but JS to even read a plain text? Come on!

  7. I’ve seen something similar at work this week from [popular company in my industry] and its frustrating to see how intrusive web advertisements can be. We should want to put creativity into what we do, but not to the point that we try to outsmart security features and search engines which already suppress virtually similar behaviors. I’m an enterprise dev, and the most successful argument I’ve ever used to not do something like this is “X browser prevents this because Y”. Where I work, every feature I make already has the requirement of needing to work in all of the browsers we support, so this argument is usually sufficient.

  8. Never trust the Big Green Download button! looks for a tiny little invisible download link that is impossible to find!

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!