InformAction Forums

At my bank's https online banking login, I get the "Potential Clickjacking / UI Redressing Attempt!" warning for the account number field. Does that mean my bank's "secure" login page isn't really secure? If this is simply a glitch, how do I tell NoScript that my bank's site is not clickjacking?

Also, please don't include o and 0 in your Confirmation code. Who can tell which is which?

Lance wrote:At my bank's https online banking login, I get the "Potential Clickjacking / UI Redressing Attempt!" warning for the account number field. Does that mean my bank's "secure" login page isn't really secure?

Impossible to decide without seeing the actual page. The whole idea of the ClearClick Warning is to alert you to an obscured frame that could be a malicious redirection of your click. By then clicking on the green framed snapshot, you will get a second red framed snapshot which is the obscured frame that you wouldn't have seen without the ClearClick warning. You can then make your decision about its intentions. If you decide it's up to no good, or you can't decide, you can choose to report the thing to Giorgio using the Report button at the bottom of the dialog. And report to your bank of course!

if this is simply a glitch, how do I tell NoScript that my bank's site is not clickjacking?

uncheck the Keep this element locked dialog item.

Also, please don't include o and 0 in your Confirmation code. Who can tell which is which?

Where do you encounter this code? Sorry I have no clue about that question.

@Lance:
what Grumpy Old Lady said.
Additionally, I'd appreciate you to fill the field with a bogus confirmation number and, when the warning appears, use the "Report" button, then send me the Report ID so I can analyze the possible false positive and see if it can be fixed.

Lance wrote: Also, please don't include o and 0 in your Confirmation code. Who can tell which is which?

Ahem:

Confirmation code label wrote: Confirmation code:
Enter the code exactly as it appears. All letters are case insensitive, there is no zero.

What bank (URL)?

Everything has already been said, I just want to add that you shouldn't be so surprised that a bank https website is possibly compromised or doing things in a way that can compromise you, it happens all the time. Just because it belongs to a bank and just because its https doesn't mean anything, they get compromised ALL THE TIME. Often due to bad coding and sometimes due to bad security implementation. If anything you should be happy that a tools like NS catches things like this, even if benign wouldn't you rather be alerted and know for sure than to assume you are safe? If it's actually benign and a false positive, Giorgio has always provided and often implemented the exception for them in the releases that follow, so just let him take a look and see what's what. Better safe than sorry.