Just saw this article about 'Clickjacking' Here's a few xerpts The Fix? That's pretty much the whole article but here's the page Code: http://blogs.zdnet.com/security/?p=1972 Appreciate anyone's thoughts on this...and any ideas.
Clickjacking = CSing no? or something different? It reads like CSing, but they dont seem to understand how it works. Why would you want a click, without the CS
Now that pretty funny if its only cookie stuffing. Thought it might be something a little heavier than that.
This sounds to me like what happens to my screen sometimes. I use Flock and I have my "flock toolbar" where the bookmark bar is and sometimes I sweat TG that someone is going over my bookmark icons cause they move and I know I am not moving them and sometimes one of them totally disappears! Like when BHW was down ( last week?) due to a possible hacker.. My BHW Icon disappeared as well! I have no idea why and then somehow it was back after I started up my puter again. Perhaps this is the kind of stuff they are talking about?
Probably something like this (not really new)..... Code: http://www.planb-security.net/notclickjacking/iframetrick.html Maybe something new. Kinda hope it is
Can you elaborate? How does it "take over your browser" that doesn't really give me any kind of technical understanding whatsoever. Sounds like cross domain RPC or iframing to me.
Have no knowledge of how it works but heres how I think it work. I don't think itself, it takes over your browser but judging by the example lurk posted it hides some sort of frame and makes its transparency to clear so when someone clicks on a link or anywhere on the page the framed hidden page is really in front of the real page your clicking on so I guess you could be tricked into pressing yes to a popup that ask if you really want to install the app.
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable.This is working with ie8 and ff3 and is not something like a "traditional" exploit...Initially they wanted to make the code public here : Code: http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference but given the danger they postponed OWASP One of the topic is: Get Ric*h or Die Try*ing - Mak*ing Money on The W*eb, The Black Hat Way there is a slide show here that mention a few black hat methods : -at 57/67 there is a mention of BHW Code: http://www.slideshare.net/jeremiahgrossman/black-hat-08072008?src=embed
gr33n, shit dude... blackhatworld.com is used as a reference how people co*okie stuff to make money on slide 57 No bueno
Here is the video presentation on clickjacking, it quite interesting. The video is about 20 min long. http://video.google.com/videoplay?docid=-1023253423246814538&hl=en Enjoy, Dmore "The Stinking Capitalist Pig"
GR33N, great post. i didnt know someone really did that stupid office space scheme, and LOFUCKINGL about the QVC thing
It's got nothing to do with CS, and gr33n hit the nail on the head. I think it's pretty scary actually. The latest NoScript versions warn you about possible CJ attempts, but I wonder how much they actually catch. This isn't your usual daily half-assed IE exploit. Mind where you go and what you click if you're logged in to anything you care about.
Very interesting video........ One breif sentance that was said in the video "Java Script makes things easier to hover under the mouse". So if you think about flash games where where you use the mouse to move a character. What you have is the flash identifying the mouse and its movement over the screen. Now this stands to reason why they took this to Adobe first and they was so concerned about it! So basically if a mouse click area occupies 4 pixels (2x2) (now I am not technical so I dont know if that is correct) then the flash game can use one of those pixels as a link. So when you are clicking the game to... lets say 'Fire' it is programmed to make the first click not only 'Fire' but also follow a link. As stated in the video the same effect could also be achieved by dhtml/JS and probably AJAX. With regards to making the user complete a process, quite simple using screen scraping and writing the script to a work flow rather than just a single click. Now after thinking there is another possability. And that could by to map the X/Y of the location you want the user to click so that and onclick action creates a subsequent click on the same page at the location specified. I maybe talking total BS, but all of the above are totally doable! What do you think?
That ebay thing was quite worrying, perhaps they could find a way to take as much money as they want just by making you bid on their auction using your paypal account or other payment system that has your credit card already in it. Or maybe a simple site with a donation button, force them to click on that, and somehow force them to type in their paypal email and password. Im sure there is someway to steal a hell of a lot of money... I agree with omfg, this is not good at all D:
