ClickJacking – ideas for this sneaky hack (Twitter, etc)
By Steve Poland • January 22, 2009
Here we go with another little browser exploit/hack. It’s called ClickJacking and as Scott Jangro puts it, “like carjacking, but with clicks.” Scott has a great post with a screencast that shows how ClickJacking works. Thanks to @esnagel for making me aware his post.
Basically, you can create an invisible (opacity=0) IFRAME over a ‘click here!’ image/button/link [or over anything you want]. In the example (which comes from James Podolsey’s blog), they show a ‘click here!’ image, which has an IFRAME that’s invisible and shifted using CSS, so that the ‘update’ button of twitter.com/home is over the ‘click here!’ image. The update then has whatever you want in it. The user then clicks the ‘click here!’ and actually submits the update without knowing they just did that.
This of course assumes the user is logged into their Twitter account, which most users are — if they have Twitter.
There are some sneaky things you could do with this — blackhat of course:
- You could do this with Facebook as well, because most users are logged into Facebook. Stuff could go to the user’s newsfeed possibly.
- Tweet out something actually relevant, with an affiliate tagged link to earn commissions. [Although that'll be trackable back to you]
- You could have the user click a search result without them even knowing it, and collect the CPC. Or force a click on Google AdWords. Or force a click on a display ad.
- You could potentially force the user to thumbs up / stumble a webpage you determine.
- You could submit a comment to a blog with prepopulated data that you filled in (maybe pulled from a DB, so that you already had different data for every user you scam into clicking).
- You could submit positive or negative reviews — prepopulate a review box and get the user to click it.
- You could get the user to click an Amazon, EBay, etc, referral affiliate link, so that a cookie gets set on the user’s machine.
But you could do whitehat stuff — that ‘click here!’ button could be almost like a ‘ShareThis’ link on a blog article page. You could encourage users to ‘tweet’ that they are reading this current webpage — they’d simply have to click a button ‘tweet this!’, and it’d post as a tweet, without the user leaving the page they are reading. Rather than the user clicking a link that includes what the tweet would be, the user then going to their twitter page with the update filled in, and then having to click ‘update’.
What ideas does this hack give you? Share in the comments.
Related posts:
- 10 Twitter Hack Start-Up Ideas 10 Twitter application ideas — with or without their API are below. Be sure to throw some Google AdSense around any of these ideas to get a little monetization out of your project. digg interface...
- IDEA #88 – Rent Your Twitter Background & Avatar I’m going to put three(!) ideas in here that are quick. The Twitter API has now given access to your profile background image (update_profile_background_image), profile avatar (update_profile_image), and profile design colors (update_profile_colors). Apparently Ian Schafer...
- Twitter Business Model Jason Calacanis is talking about it after Allen Stern brought up the issue. While I agree with their various ideas, I see the ad model being similar to what Facebook has done with their newsfeed...
- Twitter API Ideas – digg, categorization, MyBlogLog As of now, Twitter is mostly used by the techies. But once this thing hits the MySpace crowd, I think it’s going to explode even bigger. People like to quickly notify the world what they’re...
- Twitter Username Management Script (TUMS) The script is no longer for sale. Purchase of the script entitles you to one license for commercial or personal use, but not resale. Upon your purchase, the script is available via secure download link...
Related posts brought to you by Yet Another Related Posts Plugin.
Comments
Got something to say?
