Via BreakingPoints Systems Blog (Tod B.) -
After Michael Zalewski's WHATWG post spilled enough beans to show definitely that yesterday's pop-up evaders weren't "clickjacking," I put together another demo this afternoon (link below), which uses a combination of opacity and z-index settings on an iframe. Again, it's just speculation.
http://www.planb-security.net/notclickjacking/iframetrick.html
This seems to fit the bill: No Javascript required, uses iframes, and gives the ability to seemingly overlay one UI on top of another. By the way, the demo is mostly harmless -- it just turns your Myspace profile from private to public. I started down the path of masking my brokerage's trading app, but masking out keystrokes for stock orders seemed to be overkill for a simple speculative demo.
----------------------------------------
Pretty scary stuff. The font differences make the alignment difficult, but you can clearly see the danger in this...nice work Tod.
No comments:
Post a Comment