Wednesday, December 03, 2008

Clickjacking

Hold on to your milk and cookies. That's not Santa's Christmas list for Peter you're clicking on. I mean it is, but you've just send someone your bank account information. Thought you were safe without having your JavaScript enabled? Think again.

Explanation:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115818

Proof of Concept:
http://www.planb-security.net/notclickjacking/iframetrick.html

How do you fix it? Mostly, you can't but this helps.
http://noscript.net/

The lesson for developers:
Prevention helps somewhat, like developing sites with short cookie life, and detecting how a page is opened to prevent misuse.

The lesson for end users:
Don't work with trusted and untrusted sites simultaneously. Work with secure sites with no other sites open.

Del.icio.us Add to del.icio.us Digg DiggIt! Reddit Reddit Stumbleupon Stumble This Google Bookmarks Add to Google Bookmarks Yahoo My Web Add to Yahoo MyWeb Technorati Add to Technorati Faves Slashdot Slashdot it
Posted by Cacoethes scribendi at 3:32 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)