I would be interested to see a proof of concept of an attack that would delete user's accounts because it seems pretty impossible to me. ---- Gavin Schulz Working on a stealth start-up
On Sun, Feb 15, 2009 at 11:34 PM, Mr. Meitar Moscovitz <[email protected]>wrote: > On Feb 14, 2009, at 8:31 AM, Evan Prodromou wrote: > > Gavin Schulz wrote: >> >>> As far as I know, it is also. There is really no way to guard against >>> the hack because its all about alignment. Although I use Chrome and it >>> doesn't work. As far as I know it's just a clever hack to post a status >>> message. No real security loophole. >>> >> >> Could we use frame-breaker JS to keep from being stuck in an iframe? >> >> -Evan >> > > I think we absolutely should. > > No, *this* particular attack was not especially destructive, but just > because this wasn't doesn't mean a future clickjacking attack wouldn't be. > You could pretty easily create a clickjacking attack that would delete users > accounts. Nobody wants this. > > Frame-busting would be helpful but should be acknowledged as a mitigation, > rather than a prevention technique. In all cases, the ultimate > responsibility for something like this rests in the hands of users, since > clickjacking isn't something that the Identica team (or any web developer) > can prevent 100% of the time. > > For what it's worth, encouraging your friends who use Twitter OR Identica > to use NoScript with Firefox[0] or Clickjane.css[1] with Safari/Opera/other > browsers would probably be a good idea right about now. > > Cheers, > -Meitar Moscovitz > Personal: http://maymay.net > Professional: http://MeitarMoscovitz.com > > EXTERNAL REFERENCES: > > [0] http://noscript.net/ > [1] > http://maymay.net/blog/2008/12/29/clickjanecss-a-css-user-style-sheet-to-help-detect-and-avoid-clickjacking-attacks/ >
_______________________________________________ Laconica-dev mailing list [email protected] http://mail.laconi.ca/mailman/listinfo/laconica-dev
