[whatwg] Dealing with UI redress vulnerabilities inherent to the current web

Michal Zalewski lcamtuf at dione.cc
Mon Sep 29 16:09:03 PDT 2008


On Tue, 30 Sep 2008, Robert O'Callahan wrote:

> If the chat gadget is configured to only talk to the site owner, how can it
> be abused? I suppose the site owner can discover the chat nick of a visitor
> who otherwise wouldn't want to disclose it. That's a risk that the chat
> system developers might very well be willing to accept.

Assume you are logged in with Facebook, Google, or any other "common" 
party that provides general chat / calendar services or anything of that 
kind; and let's say this party permits site operators embed a gadget that 
shows every visitor a schedule of events advertised on a page overlaid on 
top of visitor's schedule (with the option to add these to your calendar, 
or edit your calendar data - it does not have to be read-only); or gives 
you the opportunity to chat, review and annotate documents, or otherwise 
collaborate with site owners using similar facilities provided by gadget 
operator in their third-party domain, in your capacity as the user logged 
in with said services.

[If the visitor is not logged in, such a gadget would not display, or 
would offer a login link that pops up a new https:// window.]

This is not a very far-fetched scenario - I've seen designs of this type - 
and they are very much possible and safe to arrange without disclosing any 
user-specific information to the page that embeds said gadgets. The only 
security problem arises with UI redress flaws; so it would be nice to 
offer viable alternatives for such applications, too.

>> That's a terrible user experience, by most accounts, and goes against the
>> concept of a gadget; I believe it is often avoided at all costs except when
>> absolutely necessary (e.g., login, where the user needs the opportunity to
>> verify URL, SSL status, etc).
>
> Maybe we can make it a better user experience, for example, by allowing 
> the new window/tab to appear as a new pane at the top or bottom of the 
> existing tab. That would nicely handle your chat example, IMHO.

Possibly.

/mz



More information about the whatwg mailing list