Full Disclosure mailing list archives

Re: Clickjacking (?) on Facebook.com (Question)

From: Jann Horn <jann () thejh net>
Date: Thu, 12 Dec 2013 20:07:49 +0100

On Wed, Dec 11, 2013 at 10:18:09PM +0100, Stefan Schurtz wrote:

it is possible to load
"https://www.facebook.com/login/reauth.php?next=https://www.facebook.com/confirmphone.php&display=popup";
in another page.

[...]

My question: is this really not a security problem on Facebook?


It's say it is a problem, especially given that drag/drop isn't blocked on that
page. Did you report this to Facebook yet?

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 11)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
  - Re: Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Nahuel Grisolía (Dec 13)
- Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
  - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
    - Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)