Home » web 2.0

NoScript ClearClick Warning For Wordpress.com Stats


Submitted by Dan on Wednesday, 3 December 20082 Comments
NoScript ClearClick Warning For Wordpress.com Stats

For those unaware, NoScript is a wonderful Firefox addon that keeps your browser secure.  In the words of the development team,

The NoScript Firefox extension provides extra protection for Firefox, Flock, Seamonkey and other mozilla-based browsers: this free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice (e.g. your online bank), and provides the most powerful Anti-XSS protection available in a browser.

I have recently run into a problem which relates to a ClearClick Clickjack attempt warning when using Wordpress.com Stats with Wordpress 2.6.5 and I’ve been unable to find a solution.  I have upgraded to the latest version of both the Wordpress.com Stats plugin and Wordpress itself.  Wordpress.com Stats is a flash based plugin.  When signing in to my dashboard I am presented with a login box for my stats which looks like this:

When I click on the textbox for username and press my first key I receive a NoScript Potential Clickjacking / UI Redressing Attempt pop-up warning.  The link that it claims is being clickjacked is http://dashboard.wordpress.com/wp-login.php?action=auth&redirect_to=http%3A%2F%2Fdashboard.wordpress.com%2Fwp-admin%2Findex.php%3Fpage%3Destats%26blog%3D3985288%26noheader%3Dtrue%26chart%26unit%3D1%26width%3D463%26height%3D228 which is just a link to the embedded Wordpress.com statistics.

My questions are these:  Should I be worried? Has my Wordpress Admin section been compromised?  Does Wordpress have an exploit allowing someone to embed clickjack attempts within my site?  Or is this a false positive and nothing to worry about?  I’ve been unable to find any other reports of this issue so I’m posting it here and and hope to get to the bottom of this.

2 Comments »

  • Giorgio Maone (1 comments) said:

    A quick and easy way to decide if a ClearClick warning is a false positive or not, is comparing the green-bordered image with the red-bordered you get by clicking on it. The former depicts the “clear” object you’re clicking (i.e. with no transparencies and no objects overlaying it), the latter the way it appears on the page as it is intended by its (possibly malicious) designer.

    If the two clearly represent the same thing and it’s what you intended to interact with (like in this case), it’s probably a false positive and I’d appreciate a report on http://noscript.net/forum possibly with both the screenshots.

    BTW, are you using latest NoScript version?

    Giorgio Maones last blog post..Go Green with NoScript!

    [Reply]

    - 3 December 2008 at 2:35 pm
  • Dan (51 comments) (author) said:

    @Gorgio

    Thanks for the quick reply. Ive posted the information on the forum at http://forums.mozillazine.org/viewtopic.php?f=48&t=826005&p=5142095#p5142095 along with the screenshots.

    The difference btween the green and red bordered image when I click is that the image shifts down by half an inch but I am unable to see anything suspicious.

    Im using the latest version of NoScript .. just updated it today to be sure.

    [Reply]

    - 3 December 2008 at 3:33 pm

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.

Comments links could be nofollow free.