Thereafter, the page could message Screencastify to fetch the victim's Google access token and ask Google for the user's identity. So his proof-of-concept attack did just that, loading the vulnerable page in an invisible frame and positioning it under the mouse cursor so any click would be passed through to the hidden button. But as Palant observed, the page contained no protection against framing, meaning it was susceptible to clickjacking. To make that happen, the attacker would still need to trick the victim into clicking on this button.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |