Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But you should still panic a little bit because this technique can be used for https://en.wikipedia.org/wiki/Clickjacking


The most it could do is fool you into thinking your cursor is somewhere else within the same web page, which the malicious dev in this case would already have total control over. If they wanted to fool you into clicking something, they'd have an easier time just mis-labeling the button


Since this can make you think your cursor is in a different position in the page than it actually is, couldn't it potentially be used to mislead you to click outside the page as well? Possibly not into browser chrome[1], but what about on a iframe?

Place button A the user wants to interact with at position (X,Y), place iframe button B at position (X+W,Y), with as little a border as possible with the rest of the page, then offset fake cursor by -W. User will try to mouse over button A, mistakenly mouse over button B, and click it in the time it takes to register that the mouse pointer just jumped from the edge of one button to the edge of the other...

[1] Though I can see the trick below maybe working for some browser's permission request "tooltip" UIs...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: