[cap-talk] If a user is clickjacked in a forest, does it leak authority?

Chip Morningstar chip at fudco.com
Thu Mar 26 19:01:36 EDT 2009

I've been considering the nature of the clickjack threat.

Here's the scenario:

Page A has a guessable URL, but contains no direct powers of its own.

Page B has an unguessable URL, and contains things that actually wield

Due to the nature of their respective URLs, Page A is vulnerable to
clickjacking, whereas Page B, in and of itself, is not.

Page A is generated by the webserver using ambient user credentials of some
kind, such as cookies, such that it ends up containing a clickable link that
opens page B in a new window.

If I understand things properly, a clickjacking attack on Page A can trick the
user into opening a window onto Page B, but once that has happened, the
attacker is not left with any means to actually wield the authorities on Page B
nor any obvious (to me) means to trick the user into wielding one of those
authorities on its behalf.

The unintended opening of Page B is clearly undesirable, but the scope of the
actual harm that can come of this is somewhat circumscribed.  I can vaguely
imagine there might be some kind of clickjacking-plus-phishing scam that
somehow fools the user into doing something on Page B once it opens, but I
can't actually think of anything concrete.  The damage is mainly limited to
being an annoyance.

If this analysis is correct, this pattern would seem to somewhat mitigate the
clickjacking threat.  If the analysis is wrong, I'd like to understand the flaw
in my thinking.


More information about the cap-talk mailing list