|
Full Disclosure
mailing list archives
Re: Clickjacking (?) on Facebook.com (Question)
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 12 Dec 2013 12:43:00 -0800
What is your exact concern?
One should obviously not enter their Facebook credentials while the
address bar shows darksecurity.de; after all, instead of framing
Facebook, you could just create a fake login form that looks just like
theirs.
Clickjacking is a distinct concern, but generally only in cases where
a UI action with serious consequences (e.g., deleting your account,
sharing something with a stranger) can be accomplished in one or
several clicks. The pages you are framing don't seem to fall into this
category. It's worth noting that XFO doesn't fully eliminate the risk:
http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html
An interesting consequence of pages that show your login or other
personal information, and can be framed, is that they make phishing a
bit easier: you can cleverly arrange them to imply that the top-level
page knows who you are. But the gain here probably isn't dramatic.
/mz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
|
