This page demonstrates simple clickjacking attack against frame-embedded UI, for example, twitter "Follow me on Twitter" button. Technique is simple. First, wait until twitter's Follow button became an iframe, so we can start an attack. Second, make iframe invisible by CSS opacity: 0. Note: I don't hide the iframe because this is not a real attack - just an example for private study and research. Third, make iframe positioned absolute and move it under user's cursor, so once user clicked anywere on a page - he will perform click on the button inside iframe and as a result - will follow you on twitter (if he was logged in twitter account). And the last trick - is how to identify that user clicked on the button and leave iframe alone (in order to avoid next clicks on the button because they will lead to popup). The trick is done by listenting for blur event on the current window, i.e. once user clicked on iframe, our current window will loose the focus - after that we can stop moving iframe and return page to its normal state.

Follow @podlipensky