ClickJacking – ideas for this sneaky hack (Twitter, etc)

Here we go with another little browser exploit/hack. It’s called ClickJacking and as Scott Jangro puts it, “like carjacking, but with clicks.” Scott has a great post with a screencast that shows how ClickJacking works. Thanks to @esnagel for making me aware his post.

Basically, you can create an invisible (opacity=0) IFRAME over a ‘click here!’ image/button/link [or over anything you want]. In the example (which comes from James Podolsey’s blog), they show a ‘click here!’ image, which has an IFRAME that’s invisible and shifted using CSS, so that the ‘update’ button of twitter.com/home is over the ‘click here!’ image. The update then has whatever you want in it. The user then clicks the ‘click here!’ and actually submits the update without knowing they just did that.

This of course assumes the user is logged into their Twitter account, which most users are — if they have Twitter.

There are some sneaky things you could do with this — blackhat of course:

You could do this with Facebook as well, because most users are logged into Facebook. Stuff could go to the user’s newsfeed possibly.
Tweet out something actually relevant, with an affiliate tagged link to earn commissions. [Although that'll be trackable back to you]
You could have the user click a search result without them even knowing it, and collect the CPC. Or force a click on Google AdWords. Or force a click on a display ad.
You could potentially force the user to thumbs up / stumble a webpage you determine.
You could submit a comment to a blog with prepopulated data that you filled in (maybe pulled from a DB, so that you already had different data for every user you scam into clicking).
You could submit positive or negative reviews — prepopulate a review box and get the user to click it.
You could get the user to click an Amazon, EBay, etc, referral affiliate link, so that a cookie gets set on the user’s machine.

Of course, I’d tie this script in with the DOM hack that can tell you what websites the user has visited in the past (i.e. ‘twitter.com/home’ to figure out if they are likely logged into twitter; or ‘amazon.com’ to see if they visit amazon; etc), then I’d have my IFRAME somehow relate to this new knowledge of the user.

But you could do whitehat stuff — that ‘click here!’ button could be almost like a ‘ShareThis’ link on a blog article page. You could encourage users to ‘tweet’ that they are reading this current webpage — they’d simply have to click a button ‘tweet this!’, and it’d post as a tweet, without the user leaving the page they are reading. Rather than the user clicking a link that includes what the tweet would be, the user then going to their twitter page with the update filled in, and then having to click ‘update’.

What ideas does this hack give you? Share in the comments.

Subscribe to Steve Poland's blog by Email

Want to read more stuff by me? Here are some of my popular posts:

Read my other start-up related posts.

Steve Poland (@popo) is a serial entrepreneur and early TechCrunch writer that now invests in passionate people building tech products with personality.