Anybody know if this clickjacking flaw also hits K-Meleon, along with Chrome and FF?

http://news.zdnet.com/2100-9595_22-264761.html

N

It may very well be that K-Meleon is vulnerable to
clickjacking. Only disabling Javascript can make you
more or less secure. Using NoScript may help also,
but this is not yet ascertained.
Some details here :

http://www.heise-online.co.uk/news/Popular-browsers-continue-to-be-vulnerable-to-clickjacking-attacks-Updated--/112518

Fred

Quote
ndebord
http://news.zdnet.com/2100-9595_22-264761.html

Finally leads to a POC that uses onClick to substitute an URL, silly.

Fred's links ends with the comment of the NoScript dev.

p.s. Eyes-Only once said that it is up to the user to do dangerous things.

BTW.I go to my bank. Close my browser - then restart 2 I go downtown or... for...- like in real life.

My banker recommended it - :O



Edited 2 time(s). Last edit at 01/31/2009 02:17AM by guenter.

Fred,

My custom is to use Privacy Bar with Java and Javascript turned off unless it is a site I must use. So there is some comfort there. I wondered about how NoScript would handle new sites, which is the most likely place where problems would occur, so a list would not work?

N

If you have whitelist containing only a few sites
that you believe to be trustworthy (or better, that
you think are watched closely and frequently by the
responsable webmaster), and give permissions to no
other site, you should be rather safe, but if you allow
scripting each time when you get stuck without javascript,
it depends on the anti-clickjacking power of NoScript,
which I cannot yet judge, how safe you are.
As Guenter said, it is advisable to clean cache and
history, close down and restart the browser before
doing an important action.
There may still be the possibility, that a bank site
has been changed, but then you could hold them
responsible for your damages.

Fred

Might there be a way to type the url or click on a link with out it using the cache since clearing the cache each time is somewhat impractical?

Charlie

~~If it ain't broke, why screw it up?~~

You can disable cache.

K-Meleon in Spanish

you can also use privacy mode profile:
http://kmeleonbrowser.org/forum/read.php?1,83391

Quote
caktus
Might there be a way to type the url or click on a link with out it using the cache since clearing the cache each time is somewhat impractical?

Maybe use this CommandID in some way.

ID_NAV_FORCE_RELOAD
Reload current page without cache query.