

New clickjacking attacks expose your Gmail messages & Facebook/Twitter identity - bumbledraven
https://docs.google.com/document/pub?id=1hVcxPeCidZrM5acFH9ZoTYzg1D0VjkG3BDW_oUdn5qc&pli=1

======
chime
The Google OAuth attack is pretty sneaky indeed. I noticed the popup being
created, positioned, and hidden upon the first click but I highly doubt most
regular users would. I wish there was an option in Chrome to force new tabs to
be opened instead of new windows and to completely disable popups for all
sites, always. I can't think of any reason why a site needs popup anymore,
especially since IFrames, OAuth, LightBox, JSONP etc. can handle pretty much
all the rich-media use cases.

~~~
sid0
Just use Firefox with browser.link.open_newwindow.restriction = 0?

~~~
icebraining
Yeah, here FF just opened a new tab ("Clickjacking is asking to...").

Well, no, actually it just showed the instructions - NoScript is awesome - but
_after_ I enabled scripts, it opened the tab.

------
mvzink
This reminds me of one of my favorite features of Stainless
(<http://www.stainlessapp.com/>): You could have one tab with a session in
which you are only logged into Google, and use that tab only on Google
websites, with a bookmark to access that session in a new tab. Then you would
not be logged into Google in any other tabs.

I would really like to see development of Stainless continued, or for some of
its security features to be adopted by Google Chrome. If anyone knows of such
functionality, I'd like to hear about it.

Also check out the Ghostery extension (<http://d.pr/DzJt>); it blocks some of
these sorts of elements (it doesn't, for example, block the Twitter follow
button, and I don't know whether it blocks Google's OAuth)

~~~
threepointone
+1 for another stainlessapp fan in the wild! I really wish they'd continued
development on it.

------
corin_

      Demo link: http://webperflab.com/david/like.html
    

I went there and clicked the like button, the information it drew up for me
were of a completely different profile.

    
    
      {"id":"224***","name":"Dennis******","first_name":"Dennis","last_name":"******","link":"http://www.facebook.com/dennis******","username":"dennis*****","gender":"male","locale":"en_US"}
    

_(Stars added by me to protect privacy of that person)._

~~~
leoh
This has to do with the way that the way the algorithm works. When you click
like, you like a page. Then, a server-side script on webperflab's server
contacts Facebook's opengraph, gets a list of users, looks up information on
the last user that liked the page, makes that user "unlike" the page (the page
can do that, it's like kicking a user out of a group), and then returns
information about that user. If, for example, another user likes the page
before the script can return information about you, it will return information
about the other user. The demo could probably fix this issue by having
multiple groups.

------
yuhong
Ideally the deanonymization attacks would not mean much if it was just that,
but that is another mess altogether. Of course, the Google OAuth attack is
much more serious.

------
ronnier
This is why I never remain logged in google. I don't use facebook. I imagine
things like this might increase with people remaining logged into g+?

~~~
icebraining
Personally, I just have a personal Google account without any personal data
(well, except for Reader subscriptions, but that's not really important) for
normal browsing in Firefox, and a Google Apps account that I use in Chrome
just for contacts/calendar/email.

Now with Google+, keeping that separation would be more difficult if I wanted
to use it, though, since I'd lose the integration between normal browsing and
G+.

------
Sephr
The OAuth attack can be solved the way Firefox solved the double-click attack
for installing plugins and add-ons: temporarily disabling the positive button
for 2-3 seconds, though in this case it should be disabled indefinitely until
there is mouse focus over the button and only then the delay to enable the
button should initiate.

------
nebbsen
I'm using the WidgetBlock Extension for Google Chrome (
[https://chrome.google.com/webstore/detail/hgiihiookhijpbhafl...](https://chrome.google.com/webstore/detail/hgiihiookhijpbhaflohognbhmamdnol)
) and it seems to block the like button on the first demo. The oAuth Demo
still works though.

------
misterbee
I get a Google login window when I click this link.

