Real Clickjacking?
After Michael Zalewski's WHATWG post spilled enough beans to show definitely that yesterday's pop-up evaders weren't "clickjacking," I put together another demo this afternoon (link below), which uses a combination of opacity and z-index settings on an iframe. Again, it's just speculation.
http://www.planb-security.net/notclickjacking/iframetrick.html
This seems to fit the bill: No Javascript required, uses iframes, and gives the ability to seemingly overlay one UI on top of another. By the way, the demo is mostly harmless -- it just turns your Myspace profile from private to public. I started down the path of masking my brokerage's trading app, but masking out keystrokes for stock orders seemed to be overkill for a simple speculative demo.
Posted by Tod Beardsley (2008/09/26 14:45:54.606 GMT-5)
Very scary indeed
Posted by
Rhian
at
2008-10-06 02:34
Indeed scary!
It makes me even more glad I have NoScript installed and went a bit paranoid in the settings. (For example I had iFrames disabled).
I went to the example, NoScript in my default internet surfing mode. It was good to see that it was blocked! The interesting part was that I could see the action that was going to happen in a tooltip!
Thanks to the guys of BreakingPoint for pointing out these issues and providing (links to) Real Working Examples.
It makes me even more glad I have NoScript installed and went a bit paranoid in the settings. (For example I had iFrames disabled).
I went to the example, NoScript in my default internet surfing mode. It was good to see that it was blocked! The interesting part was that I could see the action that was going to happen in a tooltip!
Thanks to the guys of BreakingPoint for pointing out these issues and providing (links to) Real Working Examples.
scary