This was a demonstration prepared for a colleague, Spencer Low, showing how an attacker could overlay a transparent IFrame over a trusted page and capture clicks intended for it. The victim site was framed without its knowledge and positioned to coincide with a button in the attacker’s interface.
<iframe src="seattletimes.html" width="600" height="320"></iframe>The technique relies on CSS positioning to align a clickable element in the attacker page with an action in the framed page. The user sees one thing and clicks another. This kind of attack predated the widespread adoption of X-Frame-Options and Content-Security-Policy: frame-ancestors, which are today’s standard defenses.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.