On Feb 17, 2009, at 2:42 AM, Gavin Schulz wrote:
I would be interested to see a proof of concept of an attack that
would delete user's accounts because it seems pretty impossible to me.
Instead of stealing a click over the send button, you steal clicks
elsewhere, such as over Twitters "delete my account" link at the
bottom of their http://twitter.com/account/settings page.
"Impossible" is a very dangerous word to use in a security context,
and in any event I don't even want "harmless" settings changed without
my knowledge.
Cheers,
-Meitar Moscovitz
Personal: http://maymay.net
Professional: http://MeitarMoscovitz.com
On Sun, Feb 15, 2009 at 11:34 PM, Mr. Meitar Moscovitz <[email protected]
> wrote:
On Feb 14, 2009, at 8:31 AM, Evan Prodromou wrote:
Gavin Schulz wrote:
As far as I know, it is also. There is really no way to guard
against the hack because its all about alignment. Although I use
Chrome and it doesn't work. As far as I know it's just a clever
hack to post a status message. No real security loophole.
Could we use frame-breaker JS to keep from being stuck in an iframe?
-Evan
I think we absolutely should.
No, *this* particular attack was not especially destructive, but
just because this wasn't doesn't mean a future clickjacking attack
wouldn't be. You could pretty easily create a clickjacking attack
that would delete users accounts. Nobody wants this.
Frame-busting would be helpful but should be acknowledged as a
mitigation, rather than a prevention technique. In all cases, the
ultimate responsibility for something like this rests in the hands
of users, since clickjacking isn't something that the Identica team
(or any web developer) can prevent 100% of the time.
For what it's worth, encouraging your friends who use Twitter OR
Identica to use NoScript with Firefox[0] or Clickjane.css[1] with
Safari/Opera/other browsers would probably be a good idea right
about now.
Cheers,
-Meitar Moscovitz
Personal: http://maymay.net
Professional: http://MeitarMoscovitz.com
EXTERNAL REFERENCES:
[0] http://noscript.net/
[1]
http://maymay.net/blog/2008/12/29/clickjanecss-a-css-user-style-sheet-to-help-detect-and-avoid-clickjacking-attacks/
_______________________________________________
Laconica-dev mailing list
[email protected]
http://mail.laconi.ca/mailman/listinfo/laconica-dev
_______________________________________________
Laconica-dev mailing list
[email protected]
http://mail.laconi.ca/mailman/listinfo/laconica-dev
