[Webkit-unassigned] [Bug 91820] New: Click-jacking is possible between touch events and click events.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jul 19 22:51:58 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=91820

           Summary: Click-jacking is possible between touch events and
                    click events.
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://jelzo.com/stuff/click-jack.html
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Event Handling
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: conrad.irwin at gmail.com


When a user touches a touch screen, webkit first fires touchstart-touchmove-touchend events, and then later, fires a click event.

The click event is sent to the same coordinates in the document as the touch events, but as the touch events may alter the DOM, the click can easily be targetted to any element of an attackers choice (including for example a button in an iframe).

This can be seen at http://jelzo.com/stuff/click-jack.html. When tapping on "Click me!", the click handler for "Not me!" fires; and when tapping on the plain text "follow me on twitter", the button in the iframe is triggered.

* Gecko (tested with Firefox 14.01 on Android 4.0) does not exhibit this problem

* Presto (tested with Opera Mobile 12.0.3 on Android 4.0) does not exhibit this problem when the target of the click is in an <iframe> (the follow me  the best (though I haven't investigated why it acts that way); and Opera's is a reasonable compromise.on twitter example); but does when the target is just another link on the same page (the click me! example).

* Webkit (tested in Chrome 18.0.1025123 on Android 4.0; dolphin browser hd 8.6.1 on Android 4.0; Dolphin Browser 5.2 on iPad 5.1.1; Safari on iPad 5.1.1) does exhibit this problem.

On this example I think Firefox's behaviour is the best (though I haven't investigated why it acts that way); and Opera's is a reasonable compromise.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list