Re. "Potential clickjacking" alert

[kukla]

I just got a pop up about a Potential Clickjacking attempt.

The warning says, "click on the image below to cycle between the obstructed and the clear version." What image? I click on an image that happens to be presented within the page but nothing happens when I click on it. I don't see any other "image" to click on to cycle back and forth between the possible versions. Nothing I do brings up the two versions. Does this mean the Clickjacking alert is erroneous?

The URL of the site is shown in blue inside the pop up, but when I click on it the resulting page loads but does not function further. Not sure where to go from here. Thanks for help.

[therube]

There's a Reply (or something like that) button that you can send in a report.
That may help to resolve any issues.

[Giorgio Maone]

There's a "Report" button. As soon as you click it, a report is sent and a report ID is generated back. If you send me that ID, I can analyze and possibly fix this issue.
Thanks.

[kukla]

Thanks for quick replies. Report ID is 98138. (Mac OS X 10.4.11- does that have anything to do with it?)

[kukla]

If you send me that ID, I can analyze and possibly fix this issue.

"...send me that ID." Have I misundertood? Did you mean other than by posting it here? By email?

[Giorgio Maone]

No prob, I've seen it now
I'll let you know as soon as it's analyzed, thanks.

[Giorgio Maone]

Quick question: were you using a non-standard zoom level?

[kukla]

Thanks. Re. Non-standard zoom level: I don't think so. I think it's set to default.

[Giorgio Maone]

The two images are slightly different, shifted by one pixel or less from left to right.
That's quite strange, and I can't actually reproduce the issue, but however it's nothing malicious.
If it's consistently reproducible for you, could you check if you've got latest FlashPlayer (and update it as needed) and try Standard Diagnostic?
If nothing helps, you can permanently work-around by adding danasangha.org to the noscript.clearclick.exceptions about:config preference.

[kukla]

Thank you Giorgio. My immediate "workaround", since you say this is nothing malicious, is simply to uncheck "Keep this element locked." That allows the site to function. But I'm still rather puzzled about how to alternate between the two "images," since, no matter what I do, I can't seem to see a second one here. I'm running the latest Flash.

You were able to see two slightly offset "images". You are thinking my not being able to see the two "images" may be something peculiar to this particular site with my particular configuration of Firefox with NS, but if this popup should appear for another site some time in the future with NoScript, I should expect to be able to go back and forth between the "presenting or visible" and "underlying or hidden" "images." And I'm not sure what "image" means. Does "image" simply mean, in this case, the visible page? In the case of a malicious attempt at clickjacking, I'm assuming the "underlying" image would be the malicious one. But since I can't get this page to behave like that, I don't quite know how I would ferry back and forth between the two.

Perhaps you can briefly describe how I should expect to be able to do that. Thanks very much for the help.

[GµårÐïåñ]

I don't know if your webkit is causing any issues on your Fx but is there a link that you can provide so we can go and test it to provide peer review feedback? If not then you two need to hammer this out yourselves. Just offering to see if we can replicate the problem in another environment.

[Giorgio Maone]

Thank you Giorgio. My immediate "workaround", since you say this is nothing malicious, is simply to uncheck "Keep this element locked." That allows the site to function. But I'm still rather puzzled about how to alternate between the two "images," since, no matter what I do, I can't seem to see a second one here.

Does the frame change color? It should cycle green/red, whereas the green-framed image is a screenshot taken out of context (with no other page element interfering) of the region you clicked, and the red frame is a screenshot of the same area the way you can see on the page (possibly obstructed).
If something malicious is going on, the two images should be significantly different.
If they're identical, which happens most of the time, no warning is issued at all.
Therefore, for the warning being issued, the two image must differ somewhat, even though this difference may be not noticeable (in this case, by the very definition of Clickjacking, we've got a false positive, usually due to some rendering artifact).

You were able to see two slightly offset "images". You are thinking my not being able to see the two "images" may be something peculiar to this particular site with my particular configuration of Firefox with NS

Nope, the two images I was looking at were the ones you've seen. They are sent along with your report. I had to look at them very carefully under a magnifier to notice that they're actually different with my eyes, but a program (such as NoScript) can tell it with no sweat because it compares their mathematical representation.

When I actually looked at your site, I was unable to see anything because the warning never triggered, indicating that the almost unnoticeable offset that triggered for you has been probably caused by a configuration difference.

but if this popup should appear for another site some time in the future with NoScript, I should expect to be able to go back and forth between the "presenting or visible" and "underlying or hidden" "images." And I'm not sure what "image" means. Does "image" simply mean, in this case, the visible page? In the case of a malicious attempt at clickjacking, I'm assuming the "underlying" image would be the malicious one.

Correct, see above.

But since I can't get this page to behave like that, I don't quite know how I would ferry back and forth between the two. Perhaps you can briefly describe how I should expect to be able to do that.

Just clicking on the image itself. You can tell you're switching because the frame color cycles from green to red. As I said, if no difference (or no meaningful difference) is visible to human eye, that's a false positive since Clickjacking is about deceiving your eye.

@GµårÐïåñ:
I suppose we can see "Webkit" in kukla's Useragent string because he's just posting using Safari or configured Firefox to "spoof" Safari.

[GµårÐïåñ]

@GµårÐïåñ:
I suppose we can see "Webkit" in kukla's Useragent string because he's just posting using Safari or configured Firefox to "spoof" Safari.

Ok, that makes sense. I was just taking it at face value since I am not a mac user and the friend I asked said something about webkit and since I saw that I figured, hmm I point it out just in case it was more than coincidence. Sorry

[kukla]

Thanks for looking into this. I'm posting this right now (something to do with old habits and when I'm already sure a site is safe) using Safari, hence the Webkit in question.

Does the frame change color? It should cycle green/red

When I click anywhere on the "image," i.e. the page, either before or after I get the warning, I see absolutely nothing change, either in the presentation of the page (to be expected according to what you say about the difference being so slight), or in the frame color. No cycling from green to red. Since I'm getting the warning, I'm puzzled about not, at least, getting the green/red.

Anyway, the bottom line would be there needs to be a "significant difference" between the alternating images for the behavior to be considered malicious. This was a false positive.

[therube]

Some (older) sample pictures here, http://forums.mozillazine.org/viewtopic ... 5#p5158725.

The top two, just a barely perceptible change (the whitespace below the bottom black line) between the red & green.