The Google OAuth attack is pretty sneaky indeed. I noticed the popup being created, positioned, and hidden upon the first click but I highly doubt most regular users would. I wish there was an option in Chrome to force new tabs to be opened instead of new windows and to completely disable popups for all sites, always. I can't think of any reason why a site needs popup anymore, especially since IFrames, OAuth, LightBox, JSONP etc. can handle pretty much all the rich-media use cases.

I agree. But on the other hand, lightbox style advertisements are just popups that you have to actually click to close, instead of command-W.

Solved in ChromeOS.

Just use Firefox with browser.link.open_newwindow.restriction = 0?

Yeah, here FF just opened a new tab ("Clickjacking is asking to...").

Well, no, actually it just showed the instructions - NoScript is awesome - but after I enabled scripts, it opened the tab.

This reminds me of one of my favorite features of Stainless (http://www.stainlessapp.com/): You could have one tab with a session in which you are only logged into Google, and use that tab only on Google websites, with a bookmark to access that session in a new tab. Then you would not be logged into Google in any other tabs.

I would really like to see development of Stainless continued, or for some of its security features to be adopted by Google Chrome. If anyone knows of such functionality, I'd like to hear about it.

Also check out the Ghostery extension (http://d.pr/DzJt); it blocks some of these sorts of elements (it doesn't, for example, block the Twitter follow button, and I don't know whether it blocks Google's OAuth)

+1 for another stainlessapp fan in the wild! I really wish they'd continued development on it.

Ideally the deanonymization attacks would not mean much if it was just that, but that is another mess altogether. Of course, the Google OAuth attack is much more serious.

  Demo link: http://webperflab.com/david/like.html

I went there and clicked the like button, the information it drew up for me were of a completely different profile.

  {"id":"224***","name":"Dennis******","first_name":"Dennis","last_name":"******","link":"http://www.facebook.com/dennis******","username":"dennis*****","gender":"male","locale":"en_US"}

(Stars added by me to protect privacy of that person).

This has to do with the way that the way the algorithm works. When you click like, you like a page. Then, a server-side script on webperflab's server contacts Facebook's opengraph, gets a list of users, looks up information on the last user that liked the page, makes that user "unlike" the page (the page can do that, it's like kicking a user out of a group), and then returns information about that user. If, for example, another user likes the page before the script can return information about you, it will return information about the other user. The demo could probably fix this issue by having multiple groups.

This is why I never remain logged in google. I don't use facebook. I imagine things like this might increase with people remaining logged into g+?

Personally, I just have a personal Google account without any personal data (well, except for Reader subscriptions, but that's not really important) for normal browsing in Firefox, and a Google Apps account that I use in Chrome just for contacts/calendar/email.

Now with Google+, keeping that separation would be more difficult if I wanted to use it, though, since I'd lose the integration between normal browsing and G+.

The OAuth attack can be solved the way Firefox solved the double-click attack for installing plugins and add-ons: temporarily disabling the positive button for 2-3 seconds, though in this case it should be disabled indefinitely until there is mouse focus over the button and only then the delay to enable the button should initiate.

I'm using the WidgetBlock Extension for Google Chrome ( https://chrome.google.com/webstore/detail/hgiihiookhijpbhafl... ) and it seems to block the like button on the first demo. The oAuth Demo still works though.

I get a Google login window when I click this link.