Real Clickjacking?

This demos what is probably the "real" clickjacking technique, using iframes and z-indeces. Thanks, MZ! How to use it:

Be logged into Myspace, with a private profile.

Come to this page with another browser window.

Click the red button, then the orange one.

Ta-da! Now your profile is public, regardless of what your original privacy settings were.

The Buttons

Imagine, instead of fixed little span tags, these buttons are part of a terribly exciting punch the monkey game. You must click them!

What's really happening

Click here to set the opacity of the Myspace iframe to something more visible.
Click here to make it invisible again. Note, differences in fonts and stuff will tend to mess up the alignments, but you get the idea.

So now, go check yourself. Of course, this trick gets a lot more expensive when you do things like iframe in stock brokerage, auction, or charity buttons...

And if you say the buttons don't line up right, my screens will prove you a liar. (Or prove that I'm too lazy to do proper font/browser checking.)

Update Sep 29, 2008: Juggled some of the text so the buttons all work if you happen to be inside an iframe from the original BreakingPoint post.

Update Oct 31, 2008: A more complicated example is now up here, but it requires Firefox 3 (maybe FF 2). IE doesn't line up the same way without slightly more complicated mouse positioning.