chrome invisible flash document

Question

I have it so flash doesn't start on page load for security and performance. Lately I have been noticing That some pages will load with a flash document that takes up the full screen. I can see it as it has not started running and gives the gray box to enable flash. I found that when this flash document is loaded it is invisible and tricks the user by taking the click actions of the user when the user thinks there clicking on the page. I would like to know what this is and how to get rid of it all together. It looks to be used to reroute users to advertisements. I have noticed it on a lot of news websites from google news.

Has anyone else discovered this on a website and found out what it is and how to stop it? So far what i have to do is as the flash document has not loaded I can right click on it and have it hidden and not run. This feels like a workaround for something that a user should not have to deal with.

billc.cn · Accepted Answer · 2016-03-03T16:01:55.797

1

Clickjacking is an old problem of the HTML world. There isn't a really good way to "fix" it from the standards point of view without breaking a lot of existing pages.

But I don't think Flash-based clickjacking works anymore in Chrome (nor is it really necessary) because Chrome now requires you to right click on a blocked plug-in to activate it and the context menu clearly says you're enabling a plug-in.

What you saw is more likely just a normal iframe doing clickjacking. This is allowed by all browsers by default and is way more damaging as it also bypasses the same origin policy that Flash would follow.

Installing NoScript can help you defend against them.

edited Mar 03 '16 at 16:01

answered Mar 03 '16 at 15:54

billc.cn

3,852
1
16
24

I presume your talking about https://noscript.net/ – Patrick W. McMahon Mar 03 '16 at 16:37
I will try this out. – Patrick W. McMahon Mar 03 '16 at 16:39
1

@PatrickW.McMahon Yes, that's the one. You'll probably want to tweak the settings to block more third-party "embeddings". Its XSS and ABE protection generates a lot of false positives, so you may want to disable them if you have trouble with website that uses third-party payment processors (all of them!). Also, use the setting to hide the blocked script notification bar after a few seconds. – billc.cn Mar 03 '16 at 17:28

score 1 · Answer 2 · edited May 23 '17 at 11:33

1

It sounds like you're falling victim to Javascript/jQuery onClick/click and CSS positioning/sizing tricks, so it'll trick you into loading the flash.

Even if you disable Javascript, with CSS, it's possible to trick you into clicking something else.

Disable Javascript / use NoScript. Won't help against CSS
Disable CSS (sigh).
- In Chrome, you can use the Web Developer plugin.
- In Firefox, ALT -> View -> Page Style -> None.
Disable Flash altogether.

You'll have a less crippled web-browsing experience if you just disable Flash.

edited May 23 '17 at 11:33

Community

1

answered Mar 03 '16 at 15:58

Mark Buffalo

22,498
8
74
91

I currently have flash not run on page load but I would rather get rid of flash all together. Now that the web is html5 if there is a site reliant on flash, I have no interest using old flash sites. Flash eats up all my resources way to often. – Patrick W. McMahon Mar 03 '16 at 16:41
I have it disabled, and refuse to use it. It's trash. Still, check out [this site for a demo](https://thejh.net/misc/website-terminal-copy-paste) of CSS trickery. This works even with Javascript disabled. There are, quite unfortunately, lots of creative ways to screw with people if you really want to. – Mark Buffalo Mar 03 '16 at 16:44

chrome invisible flash document

2 Answers2