Comment by chatmasta

2 months ago

The exploit would be more effective if it obfuscated the UI on the authorization (victim) page. Right now, even if you double click a convincing button, it’s extremely obvious that you just got duped (no pun intended).

Sure, maybe the attacker can abuse the access privileges before you have a chance to revoke them. But it’s not exactly a smooth clickjacking.

I’d start by changing the dimensions of the parent window (prior to redirecting to victim) to the size of the button on the target page - no need to show everything around it (assuming you can make it scroll to the right place). And if the OAuth redirects to the attacker page, it can restore the size to the original.

Back in the day, this trick was used for clickjacking Digg upvotes.

Can you open a tiny iframe then scroll it to a particular location on the page, or does HTML and JS not allow that?

You can change the visibility of the target page so they wouldn't know

  • I don't think you can, but you could open a popup over the target to hide the authorisation page to make it a little less obvious. JS also has a window.close() function for opened windows, but I believe browsers might show a warning when you try that on an external origin.

    One could also confuse the user by spawning a whole bunch of tabs for other services after clicking the authorise button, making the user think something weird is going on and closing all the tabs that just popped up without realising they clicked the authorisation button.