The Web Platform is incredibly powerful, but regrettably, malicious websites will do all in their capacity to misuse it.
To prevent such exploitation, blocking actions that weren’t accompanied by a “User Gesture” is one of the weakest (but easiest to implement) defenses.
Gestures are a weak primitive because, although it is easy to determine whether a user has clicked or pressed a key, they do not suit the design objective of clearly conveying a user request well.
A more certain method of deceiving users is gesture-jacking, which eliminates the need for accurate window position, precise click timing, and the random nature of the user’s display settings.
Document
@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/ display: none; /
}
Run Free ThreatScan on Your Mailbox
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Run Free Threat Scan
Rather, the attacker lures the user into holding a key, causes a victim webpage to appear, and then transfers the key down to the victim’s website.
Overview Of Gesture Jacking Attack
Security researcher Paulos Yibelo describes in detail a form of attack in which a user is tricked into holding down a key (such as Enter), and that action is interpreted as accepting a popup window and activating a button on the website of the intended victim.
The victim’s security could be severely compromised if the button on that page executes a risky activity (such as “Grant access,” “Transfer money,” etc.).
Eric Lawrence, an expert browser developer and general program manager for Microsoft Defender, investigated the attack and referenced Yibelo’s post.
The author refers to the attack as a cross-window forgery; however, Eric Lawrence refers to it as a gesture-jacking attack because it most closely resembles the ClickJacking attack vector that gained attention in 2008.
"Gesture Jacking" — the attacker entices you to hold Enter and then causes some UI to appear where the Enter key activates an unsafe action. Several of these have been fixed over the years; e.g. https://t.co/inByosxzq4 —
