On a reasonably popular and safe mediacoder page I get the clickjack alert when I click on Forum ,Solution and Download on the horizontal Menu Tab when the GHOSTERY ALERT IS ON.
If you click away the ghostery alert the same procedure works fine.
Ghostery provokes clickjack
Ghostery provokes clickjack
Dreams are REAL possibilities. Pursue them with zest and you can make them HAPPEN!
You are GOD.Realize THAT!
You are GOD.Realize THAT!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Ghostery provokes clickjack
If the header of the page is implemented using an iframe or a Flash object (like I suspect), there's nothing I can do to prevent the warning dialog: Ghostery's alert is behaving exactly like a clickjacking attack, by hiding part of the embedded content.
If Ghostery folks implemented their notification in chrome (like NoScript), this and many other problems wouldn't happen, as I already told in this forum, on their blog and elsewhere when I had been attacked for my sites hiding Ghostery's box which was overlapping my license and donation button areas.
If Ghostery folks implemented their notification in chrome (like NoScript), this and many other problems wouldn't happen, as I already told in this forum, on their blog and elsewhere when I had been attacked for my sites hiding Ghostery's box which was overlapping my license and donation button areas.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Re: Ghostery provokes clickjack
Can then someone give an unbiased view of the purpose of Ghostery. The catch was it identifies which sites puts a hidden script (snooping) in other sites and displays them.
1.What are the risks of hidden scripts?
2.If a non-functional academic alert was all the fuss about ,then I may as well disable it.
1.What are the risks of hidden scripts?
2.If a non-functional academic alert was all the fuss about ,then I may as well disable it.
Dreams are REAL possibilities. Pursue them with zest and you can make them HAPPEN!
You are GOD.Realize THAT!
You are GOD.Realize THAT!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Ghostery provokes clickjack
Mostly tracking and privacy issues and NS already detects and neutralizes them, Ghostery does nothing but show you they are there, it does nothing about it. If you check NS settings, you will see there is an option for WebBugs already, so why would you need to see it using Ghostery, not sure. The only reason I use Ghostery is to see the NAMES of the webbugs so I can build special filters for them in ABP. Hope that helps.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Re: Ghostery provokes clickjack
Enabling "Forbid web bug" in NS does not seem to help.I still get the ghostery notifications.
Dreams are REAL possibilities. Pursue them with zest and you can make them HAPPEN!
You are GOD.Realize THAT!
You are GOD.Realize THAT!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Ghostery provokes clickjack
@nagan, I guess you are still not getting the difference in function. NS blocks the webbugs not Ghostery which is an extension. Even with their functions blocked, you can still know they are there, the same way NS knows they are there, they are in the page code. They just don't function anymore and Ghostery is showing you that they appear in the code and that has nothing to do with NS blocking them or not and Ghostery can't evaluate their threat or do anything about them. Its like seeing the red light and having a sign telling you there is a light coming up. The sign (Ghostery) does nothing about the light coming up, it just tells you its there but think of NS as the system that starts/stops the light based on traffic and permissions and so on.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Re: Ghostery provokes clickjack
"Gotcha" .I was wondering earlier that NS would block an incidence of the bug ,and since the fangs are removed ,it no longer remained a bug and hence logically ghostery should not display the site names. Hmmm...No logic here..
Dreams are REAL possibilities. Pursue them with zest and you can make them HAPPEN!
You are GOD.Realize THAT!
You are GOD.Realize THAT!
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: Ghostery provokes clickjack
Glad you got it. NS effectively castrates their function and ability to do any damage but does not remove the code from the developer's page, which is hardcoded on the server side. Ghostery is just parsing and picking up those references and displaying them. Its like diabetes and taking meds for it, the meds don't cure the source of the diabetes, they just neutralize its effects and balance it out so its rendered harmless. But even if your sugar levels are perfect, someone tests you, they'll know you have diabetes, even though you may be fine with the meds in your system, the markers are there.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11
Re: Ghostery provokes clickjack
Have I got that wrong?GµårÐïåñ wrote: NS blocks the webbugs
I have always understood that NS covers just the main classes of those little bits of code. Web bugs are a very diffuse class of things that can report using a wide range of methods, and a user really has to go to specialists for any kind of comprehensive blocking of them. ABP for example.
I note that the option 'forbid web bugs' is only for untrusted; that if a main domain is allowed, then web bug active content is as likely as not to be allowed too.
Unless it is expressly blocked using specialists like ABP, of course.
Nagan, it's a very context-dependent kind of decision whether to ditch a privacy helper; to evaluate what kind of private information you would be letting that particular site track, and whether your security is tied up with privacy in that case.
I myself choose security first and privacy second if there's a conflict.
But I browse mainly for text and from necessity for commerce, so I don't have your media use complications by and large.
Fortunately for us here in the NS community, we have luntrus to advise on other means of tracking the trackers, besides an extension that won't get along with a security one
http://forums.informaction.com/viewtopic.php?f=8&t=1572
Mozilla/5.0 (X11; U; Linux i686; en-AU; rv:1.9.0.10) Gecko/2009042523 Ubuntu/9.04 (jaunty) Firefox/3.0.10