Ask HN: Facebook clickjacking – is it detectable?

18 points by jl87 ↗ HN
I went to scammy clickbait website the other day and afterwards noticed that I "liked" them on Facebook.

After doing some research I released that I had been clickjacked, which is when a website hides a certain button underneath another button so that when I click one thing, for example a play now button, I'm actually also clicking another button, like a Facebok like.

My question is: can Facebook and/or Google punish sites for things like this?

Aside from it being sleezy, why doesn't other sites do this?

22 comments

[ 4.7 ms ] story [ 65.2 ms ] thread
Depending on the algorithm for "homepage news" on say Facebook. Having fake "likes" will result in your "news" being seen only by "fake" people or people that are not interested.
Can you give me an example site which has that. May be we can build a chrome app/extension for that.
Facebook will after a certain point put a captcha if they suspect clickjacking, and they do that incredible fast!

It is properbly a combination of user tracking and how many removes the like just after the see it on their own profile.

The simplest way to avoid this (though it does require some guesswork on your part) is to always open those suspicious sites with incognito mode. If when you click the button it asks you to log into facebook (don't) you would have been clickjacked.
A simpler way is to have a seperate Chrome (or Firefox) profile for Facebook. I have an icon in my taskbar for Gmail and it simply opens up Chrome with that profile, which has Gmail set as homepage.

Not a perfect solution, but good first line of defense none-the-less.

It's possible to detect whether an element is visible using window.getComputedStyle(). Why don't Facebook do this? Because it's slow. And measures like this can cause problems on the page. They want their button integration to be fast and low impact, so they would rather handle a couple of abusers (which they're quite good at) than inconvenience a large number of sites.
Couldn't an attacker override window.getComputedStyle() at runtime anyway?
Presumably Facebook would have CSP headers set on some of the scripts they load to prevent JavaScript on the page from interacting with their own scripts.
'Because it's slow' doesn't seem to make much sense to me. Couldn't they register the click then do the check, allowing them to have the best of both worlds?
It's JavaScript, so the client pays for it. If you're on an already slow browsers, you don't want to see it choke after you click on a button. So companies like Facebook ignore the problem on the client side, and solve it on the server side.
getComputedStyle() doesn't work across iframes.
opece.eu

This is an example of likejacking website. The text is in romanian and it's says it's donating an apartment via a contest if you fill that form.

The "Trimite" (Send) button is where the like jacking occurs.

It won't happen if you aren't always logged in Facebook. Log out from Facebook after you used it...
>after you used it

You clearly have a different Facebook use-case than a lot of people.

This talk describes what Facebook does to combat clickjacking: https://www.youtube.com/watch?v=0ih8TSXi3e4#t=12m29s

It's an interesting watch, and they probably stop a few people, but the description they give sounds very bypassable by seeding the links with a certain amount of "legit" clicks.

They pretty much punish websites that use clickjacking by forcing their users to validate the click with popups.

installing extensions like NoScript, Privacy Badger, Ghostery might prevent the links from sneaking up
I once heard of an instance where the link redirected to a legit website for requests coming from Facebook's IP, and to a scam-type website from all other IPs.