[Webkit-unassigned] [Bug 91820] New: Click-jacking is possible between touch events and click events.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 19 22:51:58 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=91820
Summary: Click-jacking is possible between touch events and
click events.
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
URL: http://jelzo.com/stuff/click-jack.html
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: Event Handling
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: conrad.irwin at gmail.com
When a user touches a touch screen, webkit first fires touchstart-touchmove-touchend events, and then later, fires a click event.
The click event is sent to the same coordinates in the document as the touch events, but as the touch events may alter the DOM, the click can easily be targetted to any element of an attackers choice (including for example a button in an iframe).
This can be seen at http://jelzo.com/stuff/click-jack.html. When tapping on "Click me!", the click handler for "Not me!" fires; and when tapping on the plain text "follow me on twitter", the button in the iframe is triggered.
* Gecko (tested with Firefox 14.01 on Android 4.0) does not exhibit this problem
* Presto (tested with Opera Mobile 12.0.3 on Android 4.0) does not exhibit this problem when the target of the click is in an <iframe> (the follow me the best (though I haven't investigated why it acts that way); and Opera's is a reasonable compromise.on twitter example); but does when the target is just another link on the same page (the click me! example).
* Webkit (tested in Chrome 18.0.1025123 on Android 4.0; dolphin browser hd 8.6.1 on Android 4.0; Dolphin Browser 5.2 on iPad 5.1.1; Safari on iPad 5.1.1) does exhibit this problem.
On this example I think Firefox's behaviour is the best (though I haven't investigated why it acts that way); and Opera's is a reasonable compromise.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list