Re. "Potential clickjacking" alert
Re. "Potential clickjacking" alert
I just got a pop up about a Potential Clickjacking attempt.
The warning says, "click on the image below to cycle between the obstructed and the clear version." What image? I click on an image that happens to be presented within the page but nothing happens when I click on it. I don't see any other "image" to click on to cycle back and forth between the possible versions. Nothing I do brings up the two versions. Does this mean the Clickjacking alert is erroneous?
The URL of the site is shown in blue inside the pop up, but when I click on it the resulting page loads but does not function further. Not sure where to go from here. Thanks for help.
The warning says, "click on the image below to cycle between the obstructed and the clear version." What image? I click on an image that happens to be presented within the page but nothing happens when I click on it. I don't see any other "image" to click on to cycle back and forth between the possible versions. Nothing I do brings up the two versions. Does this mean the Clickjacking alert is erroneous?
The URL of the site is shown in blue inside the pop up, but when I click on it the resulting page loads but does not function further. Not sure where to go from here. Thanks for help.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
Re: Re. "Potential clickjacking" alert
There's a Reply (or something like that) button that you can send in a report.
That may help to resolve any issues.
That may help to resolve any issues.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Re. "Potential clickjacking" alert
There's a "Report" button. As soon as you click it, a report is sent and a report ID is generated back. If you send me that ID, I can analyze and possibly fix this issue.
Thanks.
Thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Re: Re. "Potential clickjacking" alert
Thanks for quick replies. Report ID is 98138. (Mac OS X 10.4.11- does that have anything to do with it?)
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
Re: Re. "Potential clickjacking" alert
"...send me that ID." Have I misundertood? Did you mean other than by posting it here? By email?If you send me that ID, I can analyze and possibly fix this issue.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Re. "Potential clickjacking" alert
No prob, I've seen it now
I'll let you know as soon as it's analyzed, thanks.
I'll let you know as soon as it's analyzed, thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Re. "Potential clickjacking" alert
Quick question: were you using a non-standard zoom level?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Re: Re. "Potential clickjacking" alert
Thanks. Re. Non-standard zoom level: I don't think so. I think it's set to default.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Re. "Potential clickjacking" alert
The two images are slightly different, shifted by one pixel or less from left to right.
That's quite strange, and I can't actually reproduce the issue, but however it's nothing malicious.
If it's consistently reproducible for you, could you check if you've got latest FlashPlayer (and update it as needed) and try Standard Diagnostic?
If nothing helps, you can permanently work-around by adding danasangha.org to the noscript.clearclick.exceptions about:config preference.
That's quite strange, and I can't actually reproduce the issue, but however it's nothing malicious.
If it's consistently reproducible for you, could you check if you've got latest FlashPlayer (and update it as needed) and try Standard Diagnostic?
If nothing helps, you can permanently work-around by adding danasangha.org to the noscript.clearclick.exceptions about:config preference.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Re: Re. "Potential clickjacking" alert
Thank you Giorgio. My immediate "workaround", since you say this is nothing malicious, is simply to uncheck "Keep this element locked." That allows the site to function. But I'm still rather puzzled about how to alternate between the two "images," since, no matter what I do, I can't seem to see a second one here. I'm running the latest Flash.
You were able to see two slightly offset "images". You are thinking my not being able to see the two "images" may be something peculiar to this particular site with my particular configuration of Firefox with NS, but if this popup should appear for another site some time in the future with NoScript, I should expect to be able to go back and forth between the "presenting or visible" and "underlying or hidden" "images." And I'm not sure what "image" means. Does "image" simply mean, in this case, the visible page? In the case of a malicious attempt at clickjacking, I'm assuming the "underlying" image would be the malicious one. But since I can't get this page to behave like that, I don't quite know how I would ferry back and forth between the two.
Perhaps you can briefly describe how I should expect to be able to do that. Thanks very much for the help.
You were able to see two slightly offset "images". You are thinking my not being able to see the two "images" may be something peculiar to this particular site with my particular configuration of Firefox with NS, but if this popup should appear for another site some time in the future with NoScript, I should expect to be able to go back and forth between the "presenting or visible" and "underlying or hidden" "images." And I'm not sure what "image" means. Does "image" simply mean, in this case, the visible page? In the case of a malicious attempt at clickjacking, I'm assuming the "underlying" image would be the malicious one. But since I can't get this page to behave like that, I don't quite know how I would ferry back and forth between the two.
Perhaps you can briefly describe how I should expect to be able to do that. Thanks very much for the help.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Re. "Potential clickjacking" alert
I don't know if your webkit is causing any issues on your Fx but is there a link that you can provide so we can go and test it to provide peer review feedback? If not then you two need to hammer this out yourselves. Just offering to see if we can replicate the problem in another environment.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Re. "Potential clickjacking" alert
Does the frame change color? It should cycle green/red, whereas the green-framed image is a screenshot taken out of context (with no other page element interfering) of the region you clicked, and the red frame is a screenshot of the same area the way you can see on the page (possibly obstructed).kukla wrote:Thank you Giorgio. My immediate "workaround", since you say this is nothing malicious, is simply to uncheck "Keep this element locked." That allows the site to function. But I'm still rather puzzled about how to alternate between the two "images," since, no matter what I do, I can't seem to see a second one here.
If something malicious is going on, the two images should be significantly different.
If they're identical, which happens most of the time, no warning is issued at all.
Therefore, for the warning being issued, the two image must differ somewhat, even though this difference may be not noticeable (in this case, by the very definition of Clickjacking, we've got a false positive, usually due to some rendering artifact).
Nope, the two images I was looking at were the ones you've seen. They are sent along with your report. I had to look at them very carefully under a magnifier to notice that they're actually different with my eyes, but a program (such as NoScript) can tell it with no sweat because it compares their mathematical representation.kukla wrote:You were able to see two slightly offset "images". You are thinking my not being able to see the two "images" may be something peculiar to this particular site with my particular configuration of Firefox with NS
When I actually looked at your site, I was unable to see anything because the warning never triggered, indicating that the almost unnoticeable offset that triggered for you has been probably caused by a configuration difference.
Correct, see above.kukla wrote:but if this popup should appear for another site some time in the future with NoScript, I should expect to be able to go back and forth between the "presenting or visible" and "underlying or hidden" "images." And I'm not sure what "image" means. Does "image" simply mean, in this case, the visible page? In the case of a malicious attempt at clickjacking, I'm assuming the "underlying" image would be the malicious one.
Just clicking on the image itself. You can tell you're switching because the frame color cycles from green to red. As I said, if no difference (or no meaningful difference) is visible to human eye, that's a false positive since Clickjacking is about deceiving your eye.kukla wrote:But since I can't get this page to behave like that, I don't quite know how I would ferry back and forth between the two. Perhaps you can briefly describe how I should expect to be able to do that.
@GµårÐïåñ:
I suppose we can see "Webkit" in kukla's Useragent string because he's just posting using Safari or configured Firefox to "spoof" Safari.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Re. "Potential clickjacking" alert
Ok, that makes sense. I was just taking it at face value since I am not a mac user and the friend I asked said something about webkit and since I saw that I figured, hmm I point it out just in case it was more than coincidence. Sorry@GµårÐïåñ:
I suppose we can see "Webkit" in kukla's Useragent string because he's just posting using Safari or configured Firefox to "spoof" Safari.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Re: Re. "Potential clickjacking" alert
Thanks for looking into this. I'm posting this right now (something to do with old habits and when I'm already sure a site is safe) using Safari, hence the Webkit in question.
Anyway, the bottom line would be there needs to be a "significant difference" between the alternating images for the behavior to be considered malicious. This was a false positive.
When I click anywhere on the "image," i.e. the page, either before or after I get the warning, I see absolutely nothing change, either in the presentation of the page (to be expected according to what you say about the difference being so slight), or in the frame color. No cycling from green to red. Since I'm getting the warning, I'm puzzled about not, at least, getting the green/red.Does the frame change color? It should cycle green/red
Anyway, the bottom line would be there needs to be a "significant difference" between the alternating images for the behavior to be considered malicious. This was a false positive.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_4_11; en) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1
Re: Re. "Potential clickjacking" alert
Some (older) sample pictures here, http://forums.mozillazine.org/viewtopic ... 5#p5158725.
The top two, just a barely perceptible change (the whitespace below the bottom black line) between the red & green.
The top two, just a barely perceptible change (the whitespace below the bottom black line) between the red & green.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090403 SeaMonkey/1.1.16