Clickjacking - What to do?

[RevMAV]

Dear Support Staff:

I am a member of Facebook.
I use/play the Facebook “Wheel of Fortune” application.
Link: http://apps.facebook.com/wheeloffortunegames/
Your software alerts me to multiple incidences of potential clickjacking each time I use the application.
These “clickjacking” attempts seem to move from button to button within the game.
I have made numerous attempts to contact the application provider, “Game Show Network”
Questions:
1. I report these incidences through your software program. What happens to these reports?
2. What can I do to get the application’s management staff to address my concerns?
3. Are there legal actions that I can take?

Thank you!!
RevMAV

[GµårÐïåñ]

This can happen quite a bit when you have bad programming or just simply rendering in the browser that goes wrong and causes a shift in overlapping images (could also occurs if you have alot of addons that inject their own code or parse it and cause certain elements to break), which is normally how your clicks are "jacked" by a layer that is not seen and takes the click from a legitimate source and redirects it. Now, many of the programmers are now using overlapping layers and so on which makes it harder to protect against EVERY case of it without having some false positives.

The best way is for you to use the clickjacking interface to REPORT the matter to Giorgio, then post us the Report# here and maybe a screenshot, although not really necessary and it will be looked into and sometimes we can give you exceptions to put into the config to avoid that from happening (specific to you or similar users to do manually), assuming its a legitimate request and a false positive, ok? and in some cases the more pervasive cases will be defaulted into the NoScript releases (you can see them under about:config (use at your own risk) and check these settings: noscript.clearClick.exceptions and/or noscript.clearClick.subexceptions to mention a couple places that are defaulted by release to give you an idea what we mean).

Hope that helps. Also this might help if you want to take a look: http://noscript.net/faq#faqsec7

[RevMAV]

Thanks so much for your help. I'll follow up on your suggestions and see if that leaves me feeling reassured. Have a great day!

[GµårÐïåñ]

Not a problem, we are always here, if not me, tons of others who are just as helpful, maybe even more. Good luck and let us know if there is anything else.

[jlb]

I'm having a similar problem with another facebook page. In this case, any time facebook chat is open we get fairly constant clickjack warnings that we really don't care about. It usually (possibly always) happens if the button you're clicking is somewhere close to a facebook chat window.

If this can't be worked around on the noscript side, it would really be nice to be able to add an ability to ignore this warning on a site. I've tried turning off both trusted and untrusted site checkmarks, but I still get a clickjack warning on every click. Is there any way to work around this on my side?

Here's a report of one example: 1508255

[GµårÐïåñ]

Yeah, you are describing pretty much what I said, it happens when you click on something that either shifts or the actual receiving item becomes different or shifted suggesting something might be intercepting it. Depending on how you click, as you said, near the edges, you are MORE likely to get it because sometimes they have hover borders and that shifts the overall target range. Anyway, simply put false positives can happen depending on rendering, addons, content management, styles, css, javascript, floats, you name it and even when I click a 100 times and get nothing, once in a blue moon, I do and I know to just ignore it and move on or refresh the page.

BTW, for anyone who is wondering, the reports you make are ONLY and I mean ONLY available to GIORGIO for review and NONE OF US, get to see it, unless you post the screenshot or something here. Not that there is something super duper secret about it, but just that its a debugging and testing tool that only helps the developer and not much else. The report number we ask to be posted here is just so that if Giorgio happens to be busy and misses it, we can send him a message and ask and or follow-up, that's it. Also, since there is no personally identifiable information about it and you can post anonymously here, sometimes there is no way for him to know which report is yours unless you tell him here or via PM. Reports are securely and oneway only sent to Giorgio for debugging purposes only and that's it. Although not sure on this one, I am pretty damn certain that even he doesn't keep them when he is done with them (I have been a developer for 20+ years and I wouldn't do it, wasted resources to hold on to them), but just this part, not sure don't quote me on it; who knows, he might keep it for the sake of regression testing and looking back to see what changed, that I might even do for the short term.

[jlb]

Thank you for the response. But this is not a sometimes thing, it's more clicks than not.

We have a laptop with a small screen, and facebook chat is almost always near something she needs to click if she's playing a facebook game. There must be some way to work around this problem without just disabling noscript. Disabling noscript is what I'm going to have to do, because--whoever's fault it may be--it's not usable in this scenario. But I'd really like to leave noscript enabled, especially when she's using the computer.

I'd really like an option that lets me whitelist facebook chat somehow (I'm not even sure how you'd go about that..) or disable clickjacking protection on facebook. I think it can be disabled globally, right? I'd rather not go that far but if it's what I have to do, it's better than disabling noscript altogether.