On Feb 14, 2009, at 8:31 AM, Evan Prodromou wrote:
Gavin Schulz wrote:
As far as I know, it is also. There is really no way to guard
against the hack because its all about alignment. Although I use
Chrome and it doesn't work. As far as I know it's just a clever
hack to post a status message. No real security loophole.
Could we use frame-breaker JS to keep from being stuck in an iframe?
-Evan
I think we absolutely should.
No, *this* particular attack was not especially destructive, but just
because this wasn't doesn't mean a future clickjacking attack wouldn't
be. You could pretty easily create a clickjacking attack that would
delete users accounts. Nobody wants this.
Frame-busting would be helpful but should be acknowledged as a
mitigation, rather than a prevention technique. In all cases, the
ultimate responsibility for something like this rests in the hands of
users, since clickjacking isn't something that the Identica team (or
any web developer) can prevent 100% of the time.
For what it's worth, encouraging your friends who use Twitter OR
Identica to use NoScript with Firefox[0] or Clickjane.css[1] with
Safari/Opera/other browsers would probably be a good idea right about
now.
Cheers,
-Meitar Moscovitz
Personal: http://maymay.net
Professional: http://MeitarMoscovitz.com
EXTERNAL REFERENCES:
[0] http://noscript.net/
[1]
http://maymay.net/blog/2008/12/29/clickjanecss-a-css-user-style-sheet-to-help-detect-and-avoid-clickjacking-attacks/
_______________________________________________
Laconica-dev mailing list
[email protected]
http://mail.laconi.ca/mailman/listinfo/laconica-dev
