[cap-talk] If a user is clickjacked in a forest, does it leak authority?

Karp, Alan H alan.karp at hp.com
Fri Mar 27 11:14:37 EDT 2009

David-Sarah Hopwood wrote:
> No, a clickjacking attack can trick the user into pressing an arbitrary
> button on page B, for example, without the button being visible.
That's the essence of the attack.  In order to pull it off, the attacker must be able to open page B, make it transparent, and align it over page A.  The user sees the button on page A but is really clicking on page B.  Making the URL for page B unguessable prevents the attack.

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list