InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

ClearClick false positive?

https://forums.informaction.com/viewtopic.php?t=8197

Page 1 of 1

ClearClick false positive?

Posted: Sun Feb 19, 2012 6:12 pm
by aloishammer
After disabling ABP and Ghostery, I still can't log into vip.asus.com (which embeds yostore.net). The Error Console offers one clue:

[NoScript ClearClick] Swallowed event keypress on INPUT/0 at https://sp.yostore.net/access/requestticket/

I can log in fine in Opera 12.00 alpha x64 with an ad-blocker and Ghostery running.

Re: ClearClick false positive?

Posted: Thu Feb 23, 2012 8:23 am
by Tom T.
aloishammer wrote:After disabling ABP and Ghostery, I still can't log into vip.asus.com (which embeds yostore.net). The Error Console offers one clue:

[NoScript ClearClick] Swallowed event keypress on INPUT/0 at https://sp.yostore.net/access/requestticket/

I can log in fine in Opera 12.00 alpha x64 with an ad-blocker and Ghostery running.
Offhand, I'd say it's the script called

Code: Select all

https://sp.yostore.net/access/include/js/overlay.js
Overlays are a method of clickjacking, and so raise alarm bells in NS.
Even their style sheet includes

Code: Select all

/* the overlayed element */
.apple_overlay {
	background-image:url(../../images/pop_BG.gif);
	
	/* initially overlay is hidden */
	display:none;
Do you get a ClearClick warning box, with a place to click to "Send a report", and an ID#?

If so, please click it so that Giorgio can examine the report, and please post the report ID# here, thanks.

Otherwise, it seems that the site is very poorly designed.

Re: ClearClick false positive?

Posted: Thu Feb 23, 2012 8:42 am
by Giorgio Maone
Cannot reproduce (tried both 10.x and Nightly).
What do you mean by "Cannot login"?
Does the site refuse your credential, or are you unable to type (which would be the ClearClick effect, if it went on your way)?

Re: ClearClick false positive?

Posted: Thu Feb 23, 2012 6:01 pm
by aloishammer
Giorgio Maone wrote:Cannot reproduce (tried both 10.x and Nightly).
What do you mean by "Cannot login"?
Does the site refuse your credential, or are you unable to type (which would be the ClearClick effect, if it went on your way)?
After I clicked the button to continue, I got "please wait" and an animation. After three tries and ten minutes or so, I gave up and called AmEx to get my card activated. Unfortunately, that means I won't be able to reproduce this, now, unless I report my card stolen again, which I'd rather not do. ;)

And, to answer the question above, I didn't get any ClearClick warnings; just the notification in the Error Console.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited