A novel (to me) Browser security hole, that can be well exploited using interactive, DHTML and Flash. The basics of the problem are how do you know what your clicking on is actually sending the event to the subject you actually want? Given it's very easy to layer these days, to get those full page ads, or zoomable content, what if the thing being clicked on has a click interceptor in front of it?
Supposedly Flash10 has fixes for this, I wonder what in particular they did. Here's the original post at Techrepublic.
The related Proof Of Concept at Guya shows how using clickjacking to grant access to the webcam in flash, it not longer works. Great job at Adobe for patching the webpage quickly, but note they did this at the expense of legacy browsers.
{ 1 comment… read it below or add one }
Browser DHTML can hide what you’re actually clicking. The concern at Adobe was hiding the Flash cam/mic permissions dialog. This was prevented in FP10 (and soon, FP9) by making a system call to make sure the dialog is actually being displayed when it’s clicked on.
All the Adobe change does is prevent Flash from being abused by this still-unaddressed flaw among all popular browsers. The larger issue of browsers being unable to assure “click integrity” still remains.
More:
http://weblogs.macromedia.com/jd/archives/2008/10/on_clickjacking.html
http://blogs.adobe.com/jd/2008/10/clickjacking_reporters.html
jd/adobe