Re: Clickjacking (?) on Facebook.com (Question)

[Michal Zalewski <lcamtuf () coredump cx>]

What is your exact concern?

One should obviously not enter their Facebook credentials while the
address bar shows darksecurity.de; after all, instead of framing
Facebook, you could just create a fake login form that looks just like
theirs.

Clickjacking is a distinct concern, but generally only in cases where
a UI action with serious consequences (e.g., deleting your account,
sharing something with a stranger) can be accomplished in one or
several clicks. The pages you are framing don't seem to fall into this
category. It's worth noting that XFO doesn't fully eliminate the risk:

http://lcamtuf.blogspot.com/2011/12/x-frame-options-or-solving-wrong.html

An interesting consequence of pages that show your login or other
personal information, and can be framed, is that they make phishing a
bit easier: you can cleverly arrange them to imply that the top-level
page knows who you are. But the gain here probably isn't dramatic.

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/