Inquiry from NEW member regarding "clickjacking"

[kls490]

Good morning everyone,

As indicated in the subject line, I am new to this forum and have a question regarding the issue of clickjacking.

Description of issue:

For about 3 years now, I have visited the GSN.COM website to play some of their NON-CASH type games (i.e. just games where you win "oodles" & "tokens") and only enter "sweepstakes-type" contests...NEVER any tournaments or auctions. GSN recently added a new game listed as "Daily Break" to their game list. When I played this game on both March 17th & 18th, about 30 seconds into the game, NoScript displayed a "clickjacking alert."

This has never occurred before. I immediately quit the game and left the website. I did some checking here to see just what clickjacking is, but am not really certain of just how serious an issue this "alert" I received is and just what I should do about it. (Please bear with me as I am up in years and my deteriorating medical status makes it more difficult to adequately understand many computer security issues).

I did notify GSN's Tech Support staff of this issue and attached a screenshot of the clickjacking alert which was displayed. (I apologize for being unable to provide that screenshot here; I don't seem to be able to see a way to post it).

This morning, I again played the "Daily Break" game without any alert being displayed. However, when I was attempting to complete a GSN customer feedback form, the clickjacking alert from NoScript was once again displayed.

My question for the community: Should I simply avoid going to the gsn.com site to avoid any potential compromise of my computer's security?

Thank you for your time and any enlightenment!

[access2godzilla]

Clickjacking is the malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on. [Wikipedia]

An example: This is commonly used in case of Facebook spam, where spammers set up pages where the user has to click on (like a video etc.) Users will notice, that if they have watched the video. that the spammer's content has been automatically "liked", although they did not click on any "like" button. This is done by the technique of clickjacking, where the user thought he clicked on the video, but the page was set up such that the clicking was actually on the like button.
There are other nastier forms, which involve Flash to get users' pictures, tricking users to reveal confidential information and the like.

You can report clickjacking from Noscript's clickjacking alert window itself and post the report ID here, for further reference.

Clickjacking should not pose a security problem, and while there may be some cases where it may cause some problems, they're quite improbable (and you can always deselect the option 'Keep this element blocked' in the alert window wherever it appears).

[kls490]

I really appreciate your time and the detailed information you provided, access2godzilla!

It certainly puts my mind more at ease being able to better understand what this clickjacking is all about!

Many thanks again!

[Thrawn]

It's still worth investigating what the site is actually doing that triggers the alert. Sometimes it's harmless - the NoScript site itself used to use it to re-style the installation button for NoScript - but you want to be sure that it's actually a false positive.

Also, if the site is doing something that isn't actually clickjacking, but sets off the filter, then Giorgio will want to improve the filter.

@access2godzilla: Clickjacking can indeed be a security problem. What if, instead of the Facebook Like button, the spammer tricked you into clicking an Amazon Buy it Now button? Or the Flash configuration page, enabling a site to use your microphone and webcam?

[kls490]

Thanks very much for the additional feedback, Thrawn!

I'll visit the site this morning and see what happens this time around. (I'm still awaiting a response from the GSN Tech staff to my email w/ the attached screenshot of the clickjacking alert message).

[access2godzilla]

@access2godzilla: Clickjacking can indeed be a security problem. What if, instead of the Facebook Like button, the spammer tricked you into clicking an Amazon Buy it Now button? Or the Flash configuration page, enabling a site to use your microphone and webcam?

As I said, everything is theoritically possible, but in practical life: not so much. I've never bought things from Amazon, but I assume that the attacker is going to have a hard time pulling it off, since it would possibly involve:

Amazon example:
1. Clickjacking the the buy now and the make payment buttons (easy, though the attacker would likely have to make some kind of a mouse-operated action game or something similar)

2. Somehow make me acutally make the payment, detect my payment processor, enter my credit card details and make me pay.

Flash player config page:
The system settings always overrides the settings of the online settings page for versions >= 10.3 : https://www.macromedia.com/support/docu ... tml#124401

[kls490]

Greetings again,

I was just on the GSN.COM site, and when I went to play the "Daily Break" game I previously mentioned, I once again received the clickjacking alert from NoScript. The report number generated is: 743761.

Hope this might be of some help, and thank you for your time and any additional enlightenment!

[Thrawn]

As I said, everything is theoritically possible, but in practical life: not so much. I've never bought things from Amazon, but I assume that the attacker is going to have a hard time pulling it off, since it would possibly involve:
<snip>
2. Somehow make me acutally make the payment, detect my payment processor, enter my credit card details and make me pay.

Perhaps you don't realise that Amazon allows you - even encourages you - to set up all of your credit card details in your account, so that you can just click on one button and have something charged to your account and shipped to you. One click, done. It's part of their business model.

Flash player config page:
The system settings always overrides the settings of the online settings page for versions >= 10.3 : https://www.macromedia.com/support/docu ... tml#124401

Just an example. It was an early clickjacking target. There are other possibilities, eg cross-site request forgery that bypasses the usual token-checking defences (because it may be a form that was loaded from the legitimate site). The point is, making people click on things that they didn't intend can definitely be a security problem, not just a nuisance.