Clickjacking

By  on  

JavaScript security is a big business and for all of the right reasons.  JavaScript lets us do incredible things on the front end but some of those incredible things are for eval evil.  Spyjax used to be one of those evil things but browsers seem to have figured that out.  One technique I've seen lately is clickjacking -- presenting a link as one URL but then changing the URL quickly to trick the user.  Let me show you what I've seen.

When visiting CNBC, I would occasionally command+click a link to a post to open it in a new window, but Google Chrome would refuse via the popup blocker.  That confused me -- I'm triggering a "native" action, why is the popup blocker hassling me?  Because CNBC was being gangsta:

<a href="/some-url" onmousedown="this.href='/some-other-url';">Misleading Link Title</a>

The href was set to one URL but JavaScript dynamically changed the href to the "bad" address upon mousedown, thus changing the destination before the use knew it.  This is an incredibly shady practice with only one possible purpose: gaming the user and possibly even search engines.

It's impressive that Chrome detected CNBC's technique and blocked the click. Clickjacking could become a serious issue and I've lost a lot of trust in CNBC.  If you're participating in this practice, it may be best to stop -- the browsers are on to you.

Recent Features

  • By
    Responsive and Infinitely Scalable JS Animations

    Back in late 2012 it was not easy to find open source projects using requestAnimationFrame() - this is the hook that allows Javascript code to synchronize with a web browser's native paint loop. Animations using this method can run at 60 fps and deliver fantastic...

  • By
    CSS Filters

    CSS filter support recently landed within WebKit nightlies. CSS filters provide a method for modifying the rendering of a basic DOM element, image, or video. CSS filters allow for blurring, warping, and modifying the color intensity of elements. Let's have...

Incredible Demos

  • By
    spellcheck Attribute

    Many useful attributes have been provided to web developers recently:  download, placeholder, autofocus, and more.  One helpful older attribute is the spellcheck attribute which allows developers to  control an elements ability to be spell checked or subject to grammar checks.  Simple enough, right?

  • By
    Create a Twitter AJAX Button with MooTools, jQuery, or Dojo

    There's nothing like a subtle, slick website widget that effectively uses CSS and JavaScript to enhance the user experience.  Of course widgets like that take many hours to perfect, but it doesn't take long for that effort to be rewarded with above-average user retention and...

Discussion

  1. Couldn’t agree more Dave, there are numerous other “methods” if the site owner wanted to utilise some form of redirect – this is insidious at best! One wonders what it would do to the ranking of a page once Google starts investigating the validity of these “links” – even CNBC might not be safe from some finger wagging by the Search Engines…

  2. MzJS

    Well, Google does this on the search results themselves, so does that count? It is especially annoying if you want to copy a search result via “copy link address” or similar. Same for OneDrive.

  3. Matt

    It seems even more shocking that you had any trust in CNBC. Not surprised.

    • “more shocking”…”not surprised”….I’m lost on what you’re trying to say.

    • Eliseu

      lol

  4. I’ve not seen it knowingly done by a site owner. But I have been spending the past few nights rebuilding my Dad’s Windows PC, remotely because it was riddled with Adware and Malware which was Clickjacking links all over the place.
    Even going to Microsoft OneDrive to install it to back his documents up was an ordeal. 75% of the time the link to “download” got clickjacked, and sent me off to a half convincing looking facsimile of the OneDrive download site.
    This happened to almost any “call to action” on any site, and was affecting Chrome and IE (his PC was so slow, I had no patience to download any other browsers for testing)

    It’s a worrying thing, that I hope browser vendors have a plan for, as my Dad was falling for them every time.

  5. MaxArt

    Sneaky scoundrels! o_O
    And this is from CNBC, not some wAre2 site… Oh, come on! D:
    I wonder if Chrome would be able to catch it if the action was done on mouseover rather than mousedown.

  6. Fredrik

    It is really annoying that so many sites requires JS to work. I can understand that it would be nice to have some JS to enable slideshows or whatever, but JS to even read a plain text? Come on!

  7. I’ve seen something similar at work this week from [popular company in my industry] and its frustrating to see how intrusive web advertisements can be. We should want to put creativity into what we do, but not to the point that we try to outsmart security features and search engines which already suppress virtually similar behaviors. I’m an enterprise dev, and the most successful argument I’ve ever used to not do something like this is “X browser prevents this because Y”. Where I work, every feature I make already has the requirement of needing to work in all of the browsers we support, so this argument is usually sufficient.

  8. Never trust the Big Green Download button! looks for a tiny little invisible download link that is impossible to find!

Wrap your code in <pre class="{language}"></pre> tags, link to a GitHub gist, JSFiddle fiddle, or CodePen pen to embed!