Today I got mail form Mozilla:
We will work with RSnake and Jeremiah to refine our definition of Clickjacking. Thank-you. - -Dan Veditz Mozilla Security Team
- -Dan Veditz
Mozilla Security Team
This was regarding my last mail to Mozilla in which I had sent an Advisory to Mozilla about the Clickjacking. But as always there was again slight differences between mine and their definition of Clickjacking.Then I verified the case with none other than RSnake and Jeremiah, who replied me:
RSnake’s Response:
-----Original Message-----From: RSnake [mailto:h@ckers.org] Sent: Wednesday, February 18, 2009 4:18 AMTo: Nilesh Kumar (India)Subject: Re: Clickjacking
Answers inline.
Nilesh Kumar (India) wrote:> Hi RSnake!> Thanks for quick response. I want your kind help regarding it a bit> more.>> I agree with your theory. But I want your comments regarding all the> three specific cases I have described.>> Case 1. Used a frame to load a website in background and overlapped an> invisible div tag exactly over the button to be clicked. So user can see> the legitimate button in the background and clicks it whereas he> actually clicks invisible div tag over it and get redirected to another> malicious site.>>
Yes, this is one form of clickjacking.
And this is what Jeremiah says via LinkedIn mail:
On 02/18/09 7:51 AM, Jeremiah Grossman wrote:--------------------Case 1 most closely resembles Clickjacking. The following white paper will have more details and diagrams.
http://www.sectheory.com/clickjacking.htm
I forwarded the responses to Mozilla and finally they are again verifying their facts.Thanks to RSnake and Jeremiah for their encouraging words!
We will work with RSnake and Jeremiah to refine our definition of Clickjacking. Thank-you. - -Dan Veditz Mozilla Security Team
- -Dan Veditz
Mozilla Security Team
This was regarding my last mail to Mozilla in which I had sent an Advisory to Mozilla about the Clickjacking. But as always there was again slight differences between mine and their definition of Clickjacking.Then I verified the case with none other than RSnake and Jeremiah, who replied me:
RSnake’s Response:
-----Original Message-----From: RSnake [mailto:h@ckers.org] Sent: Wednesday, February 18, 2009 4:18 AMTo: Nilesh Kumar (India)Subject: Re: Clickjacking
Answers inline.
Nilesh Kumar (India) wrote:> Hi RSnake!> Thanks for quick response. I want your kind help regarding it a bit> more.>> I agree with your theory. But I want your comments regarding all the> three specific cases I have described.>> Case 1. Used a frame to load a website in background and overlapped an> invisible div tag exactly over the button to be clicked. So user can see> the legitimate button in the background and clicks it whereas he> actually clicks invisible div tag over it and get redirected to another> malicious site.>>
Yes, this is one form of clickjacking.
And this is what Jeremiah says via LinkedIn mail:
On 02/18/09 7:51 AM, Jeremiah Grossman wrote:--------------------Case 1 most closely resembles Clickjacking. The following white paper will have more details and diagrams.
http://www.sectheory.com/clickjacking.htm
I forwarded the responses to Mozilla and finally they are again verifying their facts.Thanks to RSnake and Jeremiah for their encouraging words!
Comments