| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CALx_OUBZP2pv0TW+NKXnYBe5Sp5n4MdWx8n+z__3e1aZgt5V5g@mail.gmail.com> Date: Thu, 12 Dec 2013 12:43:00 -0800 From: Michal Zalewski <lcamtuf@...edump.cx> To: Stefan Schurtz <sschurtz@...nline.de> Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>, security@...ebook.com Subject: Re: Clickjacking (?) on Facebook.com (Question) What is your exact concern? One should obviously not enter their Facebook credentials while the address bar shows darksecurity.de; after all, instead of framing Facebook, you could just create a fake login form that looks just like theirs. Clickjacking is a distinct concern, but generally only in cases where a UI action with serious consequences (e.g., deleting your account, sharing something with a stranger) can be accomplished in one or several clicks. The pages you are framing don't seem to fall into this category. It's worth noting that XFO doesn't fully eliminate the risk: http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html An interesting consequence of pages that show your login or other personal information, and can be framed, is that they make phishing a bit easier: you can cleverly arrange them to imply that the top-level page knows who you are. But the gain here probably isn't dramatic. /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists