Unrealistically complicated clickjacking attacks

Clickjacking attacks rely on the attacker convincing the victim to casually interact with a malicious website, without realizing that some of the clicks may be actually delivered to another, framed origin.

Some of the reports of clickjacking attacks submitted through our form require exceptionally complex or implausible interactions with the malicious site: say, clicking 10 times, pressing "r", and then hitting Enter. When evaluating the submissions, we try to be pragmatic: if we feel that a practical attack would be very difficult to orchestrate, and the safeguarded functionality is of relatively modest value to the attacker to begin with, we will probably not reward the report.

When it doubt, it is always useful to put together a reasonably realistic proof-of-concept exploit and ask yourself or a fellow researcher if they would have fallen for it. If the answer is "no", we'll probably share the same sentiment :-)