View Full Version : Clickjackin'
zmjjmz
September 26th, 2008, 10:36 PM
The problem (http://blogs.zdnet.com/security/?p=1972)
The (Firefox only) solution (http://blogs.zdnet.com/security/?p=1973)
Sounds pretty scary, but I applied the NoScript preference.
init1
September 26th, 2008, 10:48 PM
Looks like the best way to prevent it is just to use Links or Lynx :D
The problem affects all of the different browsers except something like lynx.
zmjjmz
September 26th, 2008, 10:52 PM
Looks like the best way to prevent it is just to use Links or Lynx :D
Anything that doesn't parse iframes should do.
kernelhaxor
September 26th, 2008, 11:57 PM
That article was linked from slashdot too yesterday. The article just says there exists an exploit but doesnt tell what it is. I still don't get how this 'clickjackin' works! They probably haven't disclosed it for security reasons but how do I protect myself if I dont know wht the trick is?
tom66
September 27th, 2008, 12:05 AM
It uses a hidden iframe to trick you into continuously clicking on a link of some kind. If an attacker can predict where you will click, then he can probably get you to click there. Sounds a bit like an early Firefox bug where if an attacker could predict or create a download or addons box they could install it by getting the user to click somewhere repeatedly.
I can only see disabling hidden iframes as an option. Seriously, what is the advantage. I mean, hidden links in a hidden iframe. I cannot see that being useful to anyone but an attacker.
zmjjmz
September 27th, 2008, 12:56 AM
I can only see disabling hidden iframes as an option. Seriously, what is the advantage. I mean, hidden links in a hidden iframe. I cannot see that being useful to anyone but an attacker.
I forbid iframes in general w/NoScript.
This way I can allow them if I trust the site.
Powered by vBulletin® Version 4.2.2 Copyright © 2024 vBulletin Solutions, Inc. All rights reserved.