New word? "Clickjack(ing)"

[Wilson Gray]

http://blogs.zdnet.com/security/?p=1972&tag=nl.e589


"September 25th, 2008
_Clickjacking_: Researchers raise alert for scary new cross-browser
exploit/threat affecting all the major desktop platforms — Microsoft
Internet Explorer, Mozilla Firefox, Apple Safari, Opera, and Adobe
Flash."

"In a nutshell, [clickjacking occurs] when you visit a malicious
website and the attacker is able to take control of the links that
your browser visits. The problem affects all of the different
browsers, except something like lynx. The issue has nothing to do with
JavaScript, so, turning JavaScript off in your browser will not help
you.  It's a fundamental flaw with the way your browser works and
cannot be fixed with a simple patch. With this exploit, once you're on
the malicious web page, the bad guy can make you click on any link,
any button, or anything on the page, without your even seeing it
happening."

"eBay, for example, would be vulnerable to this, since you could embed
Javascript into the web page, although Javascript is not required to
exploit this. 'It makes it easier in many ways, but you do not need
it.' Use lynx to protect yourself and don't do dynamic anything. You
can 'sort of' fill out forms and things like that. The exploit
requires DHTML. Not letting yourself be framed (framebusting code)
will prevent cross-domain _clickjacking_, but an attacker can still
force you to click any links on [his own] page.  Each click by the
user equals a _clickjacking_ click, so something like a flash game is
perfect bait."


-Wilson
--
All say, "How hard it is that we have to die"---a strange complaint to
come from the mouths of people who have had to live.
-----
-Mark Twain

------------------------------------------------------------
The American Dialect Society - http://www.americandialect.org