Full Disclosure mailing list archives
Re: Clickjacking (?) on Facebook.com (Question)
From: Jann Horn <jann () thejh net>
Date: Fri, 13 Dec 2013 01:47:47 +0100
On Thu, Dec 12, 2013 at 01:25:31PM -0800, Michal Zalewski wrote:
That page allows drag-and-drop of the user's name. If you can convince the user to select his name with a triple-click and then do a drag-and-drop of that name to some place outside the iframe, you can find out his name, so I'd say it's a privacy leak.I had something to do with Chrome, Safari, and Firefox disallowing cross-domain drag-and-drop: http://lcamtuf.coredump.cx/dnd/ We have pinged Microsoft long time ago about this, too - and hopefully this will be resolved on their end
Oh, cool.
But I wouldn't consider it a failing on part of the targeted website - you'd need to put essentially everything behind XFO to fix this problem on application level, which is not feasible for a good number of websites (including FB, because they have a variety of gadgets that are meant to be framed).
Or use JS to make it impossible to select text or so.
Yeah, Chromium has protections against that, but they're not exactly bulletproof – they become useless as soon as there's a single page on the victim domain that is framable and somehow lets the user publish data.Well, honestly, that becomes a bit of a stretch - if there's a good PoC you can put together for Facebook specifically, I suspect it may convince them to fix this, though.
I don't think I can do that.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 11)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Nahuel Grisolía (Dec 13)
- Re: Clickjacking (?) on Facebook.com (Question) Stefan Schurtz (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Michal Zalewski (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)
- Re: Clickjacking (?) on Facebook.com (Question) Jann Horn (Dec 12)