A much more straightforward abuse would be pointer-events: none. Just position an element over the 'like' button and let clicks pass through it: http://jsfiddle.net/rVxTn/
A similar click-jacking trick is used a lot for spreading videos like worms on Facebook, at least in French. Videos with baiting titles like "How could she do that?", "I can't believe she did this in front of everyone" and such.
Most people will click just to see what it might be and not miss out. Then the video player says you have to click on some letters to prove you're not a robot (clever trick, people don't think much of it because it reminds them of CAPTCHAs)
The letters actually have Facebook Like button iframes on them with opacity set to 0. I edited the opacity on one of them with the Chrome Dev tools:
Unknowningly liking the video will create a story in your friends' feeds, who will in turn click to see and spread it to their friends. No real harm is done except for the spam and all the ad views generated.
It seems that Facebook has a heuristic where it looks for unusual numbers of retracted 'Likes' and then starts requiring confirmation before logging new Likes.
This makes attacks such as these a little less worrying.
It has. When I was at the company, the most common were a string of .info sites that would show a video player chrome and a title like "embarrassing blooper leaves actress topless" or something equally inviting. The video wouldn't exist, but there would be an invisible "like" button behind the play button.
That more straightforward approach also avoids an unexpected downside of this approach. I never really noticed it before, but my mouse icon is black instead of the apparently usual white. My mouse suddenly turning white on that page makes it pretty clear what is going on.
Great job! I wouldn't mind using this for legitimate reasons. I use custom share buttons on one of my sites and I hate having to use a popup. It's a hack. But this is a sexy hack with better integration.
It should be noted that the NoScript add-on for Firefox prevents this from working through it's Clickjacking-protection (and possibly a couple of more, cursor-specific tricks). People need to know that it does more than block JavaScript.
Few of the popular ones, but there may be some misconception here. NoScript isn't meant to be blocking JavaScript for all sites. If you trust a site, which doesn't function without JavaScript, adding it to the whitelist is one click away. You get used to it quickly.
And, even in the mode where JavaScript is allowed by default on new sites, the other protections (Clickjacking, XSS, ABE, etc) still apply.
Isn't this the fault of a bad UI mixed with bad defaults? I'm using the Cookieculler FF addon (https://addons.mozilla.org/en-US/firefox/addon/cookieculler/) to manage them. Instead of torturing me with a modal popup for every new site I visit, it keeps a list of hosts and cookies and trust status in the background. Using that list to protect important but delete/block all other cookies is quite convenient.
Most actually, depending on your interests of course.. IF you are looking for content, not games, animations or games and the like. I browse with Javascript disabled by default and rarely enable it (and mostly it is for things would work just fine without if their creator wanted).
Hacker News, for one. Anyway, NoScript isn't an extension to disable javascript (there's already a checkbox for that), the point is to selectively enable it.
Set NoScript to allow all same domain JS. This will block 3rd party tracking scripts and ads while allowing the site to work. You'll have to whitelist a few common files like jQuery on Google CDN but for the most part it works great.
I think NoScript's clickjacking protection works even if the site is whitelisted or you have javascript turned on for all sites, it still checks for XSS type behavior.
Given what we've been seeing with attack sites, whether shock sites trying to just DoS the browser or silly tricks like making the browser POST to an irc server's irc port to spread the malicious URL, or just terrible ads and tracking that actively slow down the browser and ruin the surfing experience, I'm amazed that not more people see javascript as a built-in remote code execution vulnerability that only gains more and more features over time, sandbox or not. :)
Javascript makes a lot of cool stuff possible, but outside of some heavy-weight web applications that I have to trust anyway like my webmail interface or online storage manager, or games where the interactive components are the only reason why I'm visiting the site to begin with, I'm starting to wonder whether trusting the internet is not inviting more trouble than it's worth.
Maybe I'm "old-fashioned" but I'd love to go back to all the sites I visit functioning with just static web content, no clientside scripting at all, and letting me consume videos and stuff in a trusted media player plugin.
By default I have JavaScript blocked on all sites, allowing it only as needed, case by case, because JavaScript is a remote-code-execution vulnerability of modern browsers.
More and more of the applications we use and our private data live in the cloud. We now access our personal files, manage our bank and investment accounts, and make retail purchases on our web browser.
Browsing the web with JavaScript enabled by default allows code written by complete strangers to run on your browser!
This shows a general lack of knowledge about how JS and websites work. I can't just run JS on my site that will steal your bank info. Browsers have cross domain security policies to prevent this.
There have been various vulnerabilities (especially in IE) but just like any other software they get fixed.
driverdan -- by your logic, it would be OK to give perfect strangers remote-shell access to one's computer, so long as one takes all the precautions necessary to protect sensitive files and prevent them from gaining root access.
Leave aside the various vulnerabilities (including cross-site-scripting ones!) that get discovered with disturbing frequency, and please consider the subject of this thread: it's possible to make someone click a "Like" button without their realizing it! How many other similar tricks can JavaScript be used for by people with nefarious intentions?
No matter how "safe" any runtime environment is, allowing strangers to execute arbitrary code on your computer is never a great idea.
This is why I allow JavaScript code to run on my browser only when it comes from sources I trust.
"...and letting me consume videos and stuff in a trusted media player plugin."
HTML5 generally solves this with <audio> and <video>. If implemented correctly by browsers, they should not require any scripting on the site itself to work.
That said, "trusted" media player plugins (think Flash) have been the targets of many successful attacks as well.
I'm thinking a dumb unscriptable video playback frame that draws its own controls and isn't remote-controlled by javascript.
I've seen plenty of sites that see that see I don't have javascript enabled (or unblocked) and conclude that welp, that guy probably doesn't have speakers, let's display a unhelpful message instead of embedding media content.
Of course there'll still be some attack surface just like people have been managing to exploit image decoding libraries over the years, but at least it wouldn't be engineered against usability by default.
For everyone talking about JavaScript: As far as I can tell, this is fundamentally a CSS vulnerability. Something quite similar ought to be possible without JavaScript — it would just be a bit less elegant. For example, you could just make a pixel grid of divs to simulate mousemove events and position the fake cursor with CSS hover styles.
Actually just CSS won't work in this case - because the Facebook Like button is within an iFrame. This works because Javascript cycles show/hide a transparant div above the Like button.
That's because there's a transparant DIV above the Facebook iFrame, cycling on/off every few milliseconds. This is required to maintain the fake cursor's position (without it when the real cursor was over the iFrame the 'fake' cursor would stop moving).
This is brilliant, but now it's only a matter of time until it's in actual use. Sort of like how evercookie was a clever hack meant to call attention to privacy concerns, then was put into actual production sites.
I'm not sure if you can say that it's a direct result of Evercookie, but a number of high profile sites use this kind of tech - for example KissMetrics.com is used by a number of big companies, and they use ETAG cookies, Flash cookies - the lot.
He mentions OS X Chrome specifically. I would quote him, but I can't cut & paste because my cursor is so messed up. ;) If you leave the window and come back in, it works better (temporarily).
The second one also removes an annoyance I see from time to time when I bypass the proxy which makes the page request again and again that xd_proxy.php file.
If I really want to like something, I disable the proxy and reload the page. I use Proxy SwitchySharp (2) for chrome to do the setup for me in pages I visit often.
I guess I should use this as an opportunity to remind people of the "Zscaler Likejacking Prevention" plugin for Firefox/Chrome/Safari/Opera (check the corresponding add-on stores). I use the setting "Request confirmation for all Facebook widgets" so that it asked me for confirmation before sending the Like request.
Yes and no. While I browse with JavaScript disabled, I have whitelist. Chrome v8 has a feature which allows you to prevent execution of scripts from a particular domain.
I've blacklisted all ad networks from executing and JavaScript but I maintain a strict whitelist which means that sites such as Facebook, Google, and any site which I browse and immediately see is broken is added to my whitelist.
When I browse a page, I can have conditional execution of the JS code, meaning that JS from 3 domains will run, but the 9 tracking JS code from all the ad networks won't run.
It's like the best of all worlds. Adnetworks can't fingerprint me, and they have to rely on cookies, plus my browsing is a hell of a lot faster because I don't have all the unneccessary JS downloading and running.
I admit the thought that some users aren't using JS concerns me because, while I try and always build sites with a fallback, it generally results in a lesser experience. Often fallbacks just aren't possible so I need to remove the feature altogether.
I bet there's a lot of sites that still work for you, but not quite as well as if JS were enabled.
Make your content load, but anything above that, users are on their own if they decide not to enable JavaScript.
In this age, with all of the rich user applications, JS is practically a requirement.
For my startup, the frontend gracefully fallbacks to a working version for users.
For the backend, they get a blackscreen saying JS is required. If users are going to use my application, they should expect to have JS enabled for the best possible user experience.
Cursor:none makes it cleaner, but it's not necessary. You could use a lighter cursor like cursor:crosshair or cursor:text along with the fake cursor, and I bet most people will still click using the fake one.
In fact, even if you can't change the cursor at all, you could easily create a swarm of fake cursors that would frustrate the hell out of the user.
If you give an id (or class) to your p tag that contains the links you said you wanted to make easier to click, then you could use css and easily add a :hover state. Then on the hover state just make the cursor normal so it's easier to click those links. Upon mouseout the cursor will go back to 'normal'. =)
Thanks for that :) I was thinking of perhaps creating an invisible target for them with the same offset as the FB like/button, so that they could be clicked with the 'fake' cursor to enhance the effect!
I don't think I'm getting the desired result... my cursor disappears, and I all I see is a static one in the top left corner above a cropped "Like" button (in french though, that may be the problem).
See here : http://imageshack.us/f/836/28545472.jpg/
I have NoScript 2.3.1 in Firefox with the default settings, including Clearclick protection. I have no Facebook account and no scripting is enabled for this site, including JQuery.
The site is still able to disable my mouse over most of the screen.
