[cap-talk] If a user is clickjacked in a forest, does it leak authority?
David Wagner
daw at cs.berkeley.edu
Thu Mar 26 21:52:43 EDT 2009
David-Sarah Hopwood wrote:
>Chip Morningstar wrote:
>> If I understand things properly, a clickjacking attack on Page A can trick
>> the user into opening a window onto Page B, but once that has happened,
>> the attacker is not left with any means to actually wield the authorities
>> on Page B nor any obvious (to me) means to trick the user into wielding
>> one of those authorities on its behalf.
>
> No, a clickjacking attack can trick the user into pressing an arbitrary
> button on page B, for example, without the button being visible.
Can you explain how (when page B was opened in a new window or new tab)?
I can see how to do it if the link to page B is an ordinary link that
opens in the same window that page A used to occupy, but not when
clicking on that link opens a new window/tab containing page B.
More information about the cap-talk
mailing list