[cap-talk] If a user is clickjacked in a forest, does it leak authority?
Karp, Alan H
alan.karp at hp.com
Fri Mar 27 11:14:37 EDT 2009
David-Sarah Hopwood wrote:
> No, a clickjacking attack can trick the user into pressing an arbitrary
> button on page B, for example, without the button being visible.
That's the essence of the attack. In order to pull it off, the attacker must be able to open page B, make it transparent, and align it over page A. The user sees the button on page A but is really clicking on page B. Making the URL for page B unguessable prevents the attack.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk