|
Table of contents
• Search engines & clickjacking
• Risks for website associated with clickjacking
• How to detect clickjacking
Clickjacking is a deceptive technology based on changing invisible elements on the site that cause some actions over video active ones (buttons, video revival, etc.). As a result, the user unknowingly performs an action that was not part of his plans. For example, he plays a video, but intended to subscribe to a newsletter.
The purpose of clickjacking can be any – from more or less harmless cheating for likes on social networks or subscribers, to covertly obtaining personal data or making purchases at someone expense. Most often there is interaction through social networks: likes, joining communities, stealing personal data from a profile.
Search engines & clickjacking
Yandex, for examle, considers clickjacking to be one of the factors that negatively affect the ranking of the site, because the technology harms users to one degree or another. If the use of deceptive technology is detected, the site's position in the Yandex organic search results will decrease until the use of clickjacking stops. SEO specialists note a drop in website's positions by 20-30 points and a noticeable decrease in search traffic for branded queries. Ranking restrictions are lifted within two weeks after the problem is fixed. In rare cases, a little longer. The imposition of sanctions for clickjacking is displayed in the "Security and violations" section in Yandex.Webmaster. In Yandex.Browser, the site will be displayed with a warning, which may significantly affect clickability. The decision to impose sanctions is applied only according to current data. That is, the use of clickjacking, for example, a month ago does not affect its current position in the Yandex search results. If there is a deceptive technology code, but it is inactive, there will be no restrictions in ranking on Yandex search.
Google does not officially indicate that the positions of website will be lowered in search results. However it is noted that websites that use clickjacking will be excluded from Google's display ads network & website ownsers cannot benefit from placing ads on their website using Google platform.
Risks for website associated with clickjacking
Not all site owners know that clickjacking is used on their resource. It can be added discreetly along with any code of unknown origin. The developers do not advertise that they use clickjacking. And the result, for example, the theft of personal data, can be presented by developer as a goal achieved by other means.
Clickjacking is used by some services that promise to increase sales on the site by identifying visitors social media profiles. The user's contacts are stored in the system and used to send spam or make intrusive calls later. When deciding whether to add any code to the site, the following promises of a developer should alert website owners:
• we can identify users by social media accounts;
• we can provide information that the user does not explicitly specify.
Companies that provide such services do not necessarily use clickjacking, as there are other legal technologies that do not deceive users and do not cause a decrease in the ranking in search engines. But unscrupulous developers can actually use clickjacking, presenting as a different technique. Therefore, it is necessary to check the operation of all elements added to the site.
The code can be placed consciously or not not only by the site owner. The technology can be implemented by hackers by hacking the resource.
How to detect clickjacking
If a message appears in the Yandex Webmaster that the site uses deceptive technology, you need to identify elements containing malicious code. You can find them using special software or manually.
Software: An example clickjacking detection software is Clickjacking Reveal for the Google Chrome browser. It use it install, open the developer tools on the specified site (Ctrl + Shift + I), open the page (Ctrl + F5). The extension will find malicious code. If there is, the source tab opens. It will specify scripts using deceptive technology.
Manually: To find clickjacking manually, you need to identify hidden elements. The browser console is used for this purpose. During the verification, you need to be logged in to some social network.
The following steps must be performed:
1. Log in to a social network (for example, VKontakte).
2. Clear cookies from the site in the browser.
3. Open the console (Ctrl + keyboard shortcut Shift + I or Ctrl + Shift + K for Mozilla Firefox).
4. Download the page under study.
5. Perform some actions simulating the activity of a regular user.
6. To see if there is an appeal to the social network. To do this, on the "Network" tab in the console, you need to search for entries corresponding to social network events. For VKontakte, this is widget_auth.php-authorization, widget_like.php-like.
7. Next, you need to find the code that causes the loading of hidden elements. In the Inspector tab, you need to find code snippets that access social networks. Each element needs to be checked: it belongs to a visible or hidden area. To do this, just hover the cursor and look at the selected area of the screen.
8. If there is an appeal to social networks on the "Network" tab, and the "Inspector" tab fails to detect the code fragment that causes it, this is clickjacking. You can identify the code by sequentially deleting questionable fragments, while checking whether the access to social networks has disappeared. A separate attachment should be deleted using the script, iframe, and object element.
If the code that is the cause of clickjacking is found, it must be deleted. It is recommended to save a backup copy of the site beforehand, so as not to accidentally disrupt the operation of some necessary and user-safe elements. After eliminating the clickjacking code, you need to go to the "Security and violations" section in the Yandex Webmaster and click on the "I fixed everything" button to re-check faster.
|
