Fake Link Clickjacking

Chances are that you’ve already been a victim of this.

If you’ve used Google search with your Javascript enabled, you might’ve noticed that when you hover over a result, the link that shows up in your browser is to the respective website. But when you actually click on it, you are sent to a Google URL that redirects to the original site. Google does this for analytic reasons, so it’s fairly harmless to users.

This type of clickjacking, like almost all other forms of clickjacking, uses Javascript. The version I wrote, however, is a little better than what Google uses. But first, let me start with a live demo:

You may think this link leads you to Google. But try clicking it.

You might think, pretty harmless right? But what about something like this:

You can probably now see how this could be used.

The method is fairly simple – you just change the href on the anchor right before the mouse click is released by using onmousedown. If you click and hold the link, you’ll see that the URL changes to Bing.

What makes my code different than Google’s? Well, if you click and hold a link on the Google search results and end up dragging away (basically not fully completing the click), the URL is permanently changed to the Google one. The code I have restores the original URL every time the mouse moves over the link. It’s not a big change, but it could make a difference.

Without much further ado, here’s the code.

1 Comment
Inline Feedbacks
View all comments

[…] The Internet is full of threats like cross-site scripting attacks and clickjacking. […]