Paid Advertising
web application security lab

The Bikini Is No Longer Safe

Jeremiah Grossman sent this over this afternoon. No, do not click that scandalous picture of that bikini clad girl… it’s just another example of Clickjacking in the wild. Facebook has been hit by a clickjacking worm found by Gadi Evron. It’s called, funny enough the bikini worm. Just another great example of how defense just keeps getting harder for the good guys. If you aren’t vulnerable to CSRF, you’re vulnerable to XSS. If you aren’t vulnerable to XSS you’re vulnerable to clickjacking…

It’s just another great example of a combination of attacks, including my favorite - social engineering. The funniest part of this article is where Gadi admitted to finding the worm by way of clicking on it. Oh, Gadi… hahah!

It’s official. The biniki is no longer safe. Move along.

7 Responses to “The Bikini Is No Longer Safe”

  1. thrill Says:

    pic or it didn’t happen.

  2. Michael Hampton Says:

    Just for you, bikini worm.

    Supposedly the ClearClick feature in NoScript protects against clickjacking. I wouldn’t know, since I just ignore crap like that anyway.

  3. Rand Says:

    Um, he found by “clicking” on it!!


  4. thrill Says:


    Looking at the kind of girls in bikinis you look at, it’s not a surprise you ignore it.

  5. MrBlogs Says:

    I’m assuming that it is the stylesheets that allow for actual page content to be hidden from the viewer? If this is the case, then when in doubt (and in Firefox at least) Menu->View->Page Style->No Style

    This should remove the CSS, and mess up the page - but at least any hidden content will get shown.

  6. Gadi's Fan Says:

    Another monumental contribution of Gavi Evron to infosec community.

  7. Nitin Says:

    The last sentence in your post says “biniki” instead of “bikini” :-P