科技回声

12 条评论

Ah. Good old noscript.<a href="http://i.imgur.com/Cb17T.png" rel="nofollow">http://i.imgur.com/Cb17T.png</a>

Keithamus大约 13 年前

The trick is to overlay an element over the top of a link, with the CSS of "pointer-events: none;".Clicking the div will click the underlying link, which will (if you're logged into facebook) "like" the Facebook Developer group.Is this an issue with HTML5, or is it really an issue with how easy sites can manipulate your Facebook account?

评论 #3862708 未加载

simonw大约 13 年前

Even without this trick it's trivial to clickjack a like button - just place the button on a div with an alpha transparency of 0.01 and trick the user in to clicking it.Unfortunately it simply isn't possible to provide something like the Like button without being vulnerable to click jacking. I assume Facebook decided that the benefits outweighed the drawbacks. There's probably something clever they can do on the server side to statistically detect and penalize likely clickjacking attempts.

评论 #3862884 未加载

duopixel大约 13 年前

You don't need CSS4 to clickjack, just put the Facebook Like button on top of the link and apply opacity: 0.<a href="http://jsfiddle.net/txbYs/" rel="nofollow">http://jsfiddle.net/txbYs/</a>

评论 #3863074 未加载

acomjean大约 13 年前

Looks like the same game as the "don't click" twitter button (that everyone clicked anyway) from 2009. That was iframes/css.<a href="http://shiflett.org/blog/2009/feb/twitter-dont-click-exploit" rel="nofollow">http://shiflett.org/blog/2009/feb/twitter-dont-click-exploit</a>

enr大约 13 年前

It prompted me to log in even though I have FB open and am logged in in a separate tab.

评论 #3862670 未加载

richbradshaw大约 13 年前

I've used pointer events ages ago - surprised it's part of CSS4… (the nav bar on <a href="http://www.splashdisplay.co.uk/" rel="nofollow">http://www.splashdisplay.co.uk/</a> uses it so the nav can be behind the curve)

Loque_k大约 13 年前

I don't see how this is any different XHTML or HTML 4... what am I missing?

评论 #3862648 未加载

matznerd大约 13 年前

I know people who used tricks like this and some clickjacking on the share button to get 1 million+ person fan pages. Many of them were seized, but for a while it was easy.

jonknee大约 13 年前

I run Facebook Disconnect and it makes the web much nicer, this demo is non-functional with it.

评论 #3864212 未加载

rex_mundi大约 13 年前

This has likely been happening quite some time, especially on file locker sites.

StCroix大约 13 年前

CSS4? Where was I? and When??

评论 #3863115 未加载

12 条评论

franciscoapinto大约 13 年前

Ah. Good old noscript.<a href="http://i.imgur.com/Cb17T.png" rel="nofollow">http://i.imgur.com/Cb17T.png</a>

Keithamus大约 13 年前

评论 #3862708 未加载

simonw大约 13 年前

评论 #3862884 未加载

duopixel大约 13 年前

You don't need CSS4 to clickjack, just put the Facebook Like button on top of the link and apply opacity: 0.<a href="http://jsfiddle.net/txbYs/" rel="nofollow">http://jsfiddle.net/txbYs/</a>

评论 #3863074 未加载

acomjean大约 13 年前

enr大约 13 年前

It prompted me to log in even though I have FB open and am logged in in a separate tab.

评论 #3862670 未加载

richbradshaw大约 13 年前

Loque_k大约 13 年前

I don't see how this is any different XHTML or HTML 4... what am I missing?

评论 #3862648 未加载

matznerd大约 13 年前

I know people who used tricks like this and some clickjacking on the share button to get 1 million+ person fan pages. Many of them were seized, but for a while it was easy.

jonknee大约 13 年前

I run Facebook Disconnect and it makes the web much nicer, this demo is non-functional with it.

评论 #3864212 未加载

rex_mundi大约 13 年前

This has likely been happening quite some time, especially on file locker sites.

StCroix大约 13 年前

CSS4? Where was I? and When??

评论 #3863115 未加载

It's surprisingly simple to click jack using CSS4

12 条评论

It's surprisingly simple to click jack using CSS4

12 条评论