
New clickjacking affects all browsers; cause remains unknown - makimaki
http://arstechnica.com/news.ars/post/20080926-new-clickjacking-affects-all-browsers-cause-remains-unknown.html
======
palish
Ok, I'll bite: Does anyone have an idea how this exploit works?

~~~
kirse
I'm sure it involves iframes and some sort of absolute CSS positioning. That's
about as flexible you can get if Javascript is off. (I'd guess the affected
Adobe product is Flash)

~~~
gojomo
Hmm, can you open an IFrame that is transparent, at a desired scroll-offset,
and still receives clicks?

Then you could, for example, open an Amazon IFrame with the region at Amazon
you know to be a one-click-order button exactly aligned over an attractive
click-region in your exploit page.

If you can still detect the click before it goes to the IFrame, you could also
simulate the click on your page so the 'teeing off' of the click to another
site stays unnoticed.

