[cap-talk] If a user is clickjacked in a forest, does it leak authority?

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Thu Mar 26 22:15:42 EDT 2009


David Wagner wrote:
> David-Sarah Hopwood  wrote:
>> Chip Morningstar wrote:
>>> If I understand things properly, a clickjacking attack on Page A can trick
>>> the user into opening a window onto Page B, but once that has happened,
>>> the attacker is not left with any means to actually wield the authorities
>>> on Page B nor any obvious (to me) means to trick the user into wielding
>>> one of those authorities on its behalf.
>>
>> No, a clickjacking attack can trick the user into pressing an arbitrary
>> button on page B, for example, without the button being visible.
> 
> Can you explain how (when page B was opened in a new window or new tab)?
> 
> I can see how to do it if the link to page B is an ordinary link that
> opens in the same window that page A used to occupy, but not when
> clicking on that link opens a new window/tab containing page B.

Oh, right. Chip introduced an additional assumption that is not true of
clickjacking attacks in general, against existing sites.

-- 
David-Sarah Hopwood ⚥



More information about the cap-talk mailing list