[cap-talk] If a user is clickjacked in a forest, does it leak authority?

David Wagner daw at cs.berkeley.edu
Thu Mar 26 21:52:43 EDT 2009


David-Sarah Hopwood  wrote:
>Chip Morningstar wrote:
>> If I understand things properly, a clickjacking attack on Page A can trick
>> the user into opening a window onto Page B, but once that has happened,
>> the attacker is not left with any means to actually wield the authorities
>> on Page B nor any obvious (to me) means to trick the user into wielding
>> one of those authorities on its behalf.
>
> No, a clickjacking attack can trick the user into pressing an arbitrary
> button on page B, for example, without the button being visible.

Can you explain how (when page B was opened in a new window or new tab)?

I can see how to do it if the link to page B is an ordinary link that
opens in the same window that page A used to occupy, but not when
clicking on that link opens a new window/tab containing page B.


More information about the cap-talk mailing list