[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Dec 2013 12:43:00 -0800
From: Michal Zalewski <lcamtuf@...edump.cx>
To: Stefan Schurtz <sschurtz@...nline.de>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, security@...ebook.com
Subject: Re: Clickjacking (?) on Facebook.com (Question)
What is your exact concern?
One should obviously not enter their Facebook credentials while the
address bar shows darksecurity.de; after all, instead of framing
Facebook, you could just create a fake login form that looks just like
theirs.
Clickjacking is a distinct concern, but generally only in cases where
a UI action with serious consequences (e.g., deleting your account,
sharing something with a stranger) can be accomplished in one or
several clicks. The pages you are framing don't seem to fall into this
category. It's worth noting that XFO doesn't fully eliminate the risk:
http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html
An interesting consequence of pages that show your login or other
personal information, and can be framed, is that they make phishing a
bit easier: you can cleverly arrange them to imply that the top-level
page knows who you are. But the gain here probably isn't dramatic.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists