December 4, 2025
Click me, I dare you
Trick users and bypass warnings – Modern SVG Clickjacking attacks
New ‘SVG trick’ freaks out the web—some want CSS off, others say it’s nothing
TLDR: A flashy new “SVG clickjacking” trick can make people unknowingly interact with other sites, even faking captchas. The comments are split between panic (“disable CSS!”), practical advice (“just block embedding”), and art appreciation, debating whether this is a real threat or just a cool visual stunt.
A new twist on clickjacking—the sneaky trick that hides a real site under a fake one—has everyone clutching their mouse. The researcher’s flashy “SVG clickjacking” demo uses artsy visual filters to make you interact with another site without noticing, even turning secret codes into fake captchas. It started with Apple’s buzzy Liquid Glass lookalike, then escalated into “wait… this works on embedded pages?” [link].
Cue the comment section meltdown. autoexec wants the nuclear option: “turn off SVG, maybe turn off CSS too,” basically unplugging the web to save it. scoofy, who actually uses inline SVG on a legit site, is sweating whether browsers will slam the brakes. Meanwhile, paulpauper drops lore about 2010 Facebook clickjacking (“made you like stuff, but not steal sessions”), reminding everyone we’ve seen this circus before. And then zephraph shows up like an art critic—“the SVG adder is art”—while bawolff shrugs: with modern browser protections (block embedding, stricter cookies), this might be more flair than fear.
So the drama splits three ways: doomers calling CSS a weapon, pragmatists saying “use your headers,” and aesthetes applauding the visual wizardry. The memes? “Disable the internet to be safe” vs “Samsung has nothing on her.” It’s security panic meets design fan club, and nobody can look away.
Key Points
- •The article introduces “SVG clickjacking,” using SVG filters on iframes to enable complex interactive attacks and data exfiltration.
- •The technique was discovered while recreating Apple’s “Liquid Glass” effect with CSS/SVG and testing it over a cross-origin iframe.
- •SVG filter elements (e.g., feColorMatrix, feDisplacementMap, feComposite) can be chained to build attack primitives.
- •Filters unexpectedly operate on cross-origin iframe content, allowing manipulation of its visual output.
- •An example demonstrates exfiltration by distorting iframe text to resemble a CAPTCHA using feTurbulence and feDisplacementMap, prompting user re-entry.