Details of the much talked about Clickjack exploit are now available on Jerermiah Grossman’s blog, RSnakes blog and Adobe’s website. Jeremiah and RSnakewere meant to demonstrate clickjack at a recent conference but decided not to in order to give the vendors time to address the problem. Given that this exploit can be used to remotely use a victim’s webcam and/or microphone the implications for stalking, industrial espionage or indeed national security highlight that the guys were right in waiting.
Jeremiah and Rsnake should be commended on how they handled this issue and credit should also go to the Adobe PSIRT for their response to the problem.
