←back to thread

DoubleClickjacking: A New type of web hacking technique

(www.paulosyibelo.com)
237 points shinzub | 1 comments | 14 Jan 25 04:44 UTC | HN request time: 0.247s | source
Show context
gwbas1c ◴[17 Jan 25 20:28 UTC] No.42742918[source]
I'm a little skeptical that this is a real exploit.

When I watched the Salesforce video, the exploit was demonstrated by pointing the browser at a file on disk, not on a public website. I also don't understand the "proof," IE, something showed up in the salesforce inbox, but I don't understand how that shows that the user was hacked. It appears to be an automated email from an identity provider.

I also don't understand when the popup is shown, and what the element is when the popup is closed.

Some slow-mo with highlighting on the fake window, and the "proof of exploit," might make this easier to understand and demonstrate

replies(2): >>42743027 #>>42747156 #
1. stavros ◴[18 Jan 25 09:51 UTC] No.42747156[source]
It doesn't matter where the file was, the page simply redirects itself to the Salesforce website and opens a popover with the "double click me" button over the "allow" button in the window below.