Well, as far as I can see it is actually impossible to delete your identica account, unless I'm missing something. Even so there should definitely be a confirmation step before deleting an account anyways. ---- Gavin Schulz Working on a stealth start-up
On Mon, Feb 16, 2009 at 8:49 PM, Mr. Meitar Moscovitz <[email protected]>wrote: > On Feb 17, 2009, at 2:42 AM, Gavin Schulz wrote: > > I would be interested to see a proof of concept of an attack that would > delete user's accounts because it seems pretty impossible to me. > > > Instead of stealing a click over the send button, you steal clicks > elsewhere, such as over Twitters "delete my account" link at the bottom of > their http://twitter.com/account/settings page. > > "Impossible" is a very dangerous word to use in a security context, and in > any event I don't even want "harmless" settings changed without my > knowledge. > > Cheers, > -Meitar Moscovitz > Personal: http://maymay.net > Professional: http://MeitarMoscovitz.com > > On Sun, Feb 15, 2009 at 11:34 PM, Mr. Meitar Moscovitz > <[email protected]>wrote: > >> On Feb 14, 2009, at 8:31 AM, Evan Prodromou wrote: >> >> Gavin Schulz wrote: >>> >>>> As far as I know, it is also. There is really no way to guard against >>>> the hack because its all about alignment. Although I use Chrome and it >>>> doesn't work. As far as I know it's just a clever hack to post a status >>>> message. No real security loophole. >>>> >>> >>> Could we use frame-breaker JS to keep from being stuck in an iframe? >>> >>> -Evan >>> >> >> I think we absolutely should. >> >> No, *this* particular attack was not especially destructive, but just >> because this wasn't doesn't mean a future clickjacking attack wouldn't be. >> You could pretty easily create a clickjacking attack that would delete users >> accounts. Nobody wants this. >> >> Frame-busting would be helpful but should be acknowledged as a mitigation, >> rather than a prevention technique. In all cases, the ultimate >> responsibility for something like this rests in the hands of users, since >> clickjacking isn't something that the Identica team (or any web developer) >> can prevent 100% of the time. >> >> For what it's worth, encouraging your friends who use Twitter OR Identica >> to use NoScript with Firefox[0] or Clickjane.css[1] with Safari/Opera/other >> browsers would probably be a good idea right about now. >> >> Cheers, >> -Meitar Moscovitz >> Personal: http://maymay.net >> Professional: http://MeitarMoscovitz.com >> >> EXTERNAL REFERENCES: >> >> [0] http://noscript.net/ >> [1] >> http://maymay.net/blog/2008/12/29/clickjanecss-a-css-user-style-sheet-to-help-detect-and-avoid-clickjacking-attacks/ >> > > _______________________________________________ > Laconica-dev mailing list > [email protected] > http://mail.laconi.ca/mailman/listinfo/laconica-dev > > >
_______________________________________________ Laconica-dev mailing list [email protected] http://mail.laconi.ca/mailman/listinfo/laconica-dev
