ClickJacking

In October last year there was discussion about a vulnerability discovered by RSnake and Jeremiah Grossman in the Adobe Flash framework and all major browsers. Among other things, an attacker could control the web camera and the microphone of the user; viewing actions and recording any speech. This could be used for real time surveillance of an individual.

The attack involves getting the user to click on harmless buttons or links on web pages. However, by using a concealed link, the user is actually clicking on an entirely different link or button from the one he appears to be on. This can be used to get him to navigate to unknown web pages, or to dismiss alert boxes. It is executed by creating an iframe with the malicious link in the top-left corner and embeds this in the harmless page that the user is shown. This iframe is made invisible by turning the opacity down, and is made to hover just under the user's mouse pointer. As a result, regardless of where the user clicks, the malicious link is clicked. In Flash, the attacker can enable the microphone and web cam, and get the user to click on 'yes' to all the confirmation dialogs that come up.

The paper explaining the details is available here and a demonstration of the attack can be seen over here.