Clickjacking Exploits
RSnake is starting to release details about his much-hyped clickjacking exploits, and I have to say, I'm a bit disappointed.
Basically, the attack boils down to using Javascript, Flash, or CSS to surreptitiously place links or other controls under the user's cursor right before he clicks. A clever attack, but I was expecting something new. I've been doing this for years, and Rsnake mentioned something like it back in 2006. He even noted that some of these attacks have been around since 2002. It still hasn't been fixed, but this isn't exactly news.
The "news" part which sparked some drama is that Flash is particularly vulnerable, and can be used to access client-side devices like microphones and cameras. Considering Flash's past record, even earning a Pwnie nomination, it's not all that shocking. Due to RSnake's holding off on releasing the vulnerability, this bug has already been resolved by the vendor.
I suppose due to Flash's huge market penetration, this is somewhat noteworthy, but none of the users seem to care.
Call me cynical, I guess.
That's why I just use Lynx.
Basically, the attack boils down to using Javascript, Flash, or CSS to surreptitiously place links or other controls under the user's cursor right before he clicks. A clever attack, but I was expecting something new. I've been doing this for years, and Rsnake mentioned something like it back in 2006. He even noted that some of these attacks have been around since 2002. It still hasn't been fixed, but this isn't exactly news.
The "news" part which sparked some drama is that Flash is particularly vulnerable, and can be used to access client-side devices like microphones and cameras. Considering Flash's past record, even earning a Pwnie nomination, it's not all that shocking. Due to RSnake's holding off on releasing the vulnerability, this bug has already been resolved by the vendor.
I suppose due to Flash's huge market penetration, this is somewhat noteworthy, but none of the users seem to care.
Call me cynical, I guess.
That's why I just use Lynx.
Labels: Clickjacking, Exploits
posted by mckt at
7:57 PM
0 Comments:
Post a Comment
<< Home