The Bikini Is No Longer Safe
Jeremiah Grossman sent this over this afternoon. No, do not click that scandalous picture of that bikini clad girl… it’s just another example of Clickjacking in the wild. Facebook has been hit by a clickjacking worm found by Gadi Evron. It’s called, funny enough the bikini worm. Just another great example of how defense just keeps getting harder for the good guys. If you aren’t vulnerable to CSRF, you’re vulnerable to XSS. If you aren’t vulnerable to XSS you’re vulnerable to clickjacking…
It’s just another great example of a combination of attacks, including my favorite - social engineering. The funniest part of this article is where Gadi admitted to finding the worm by way of clicking on it. Oh, Gadi… hahah!
It’s official. The biniki is no longer safe. Move along.
November 23rd, 2009 at 3:58 pm
pic or it didn’t happen.
November 23rd, 2009 at 6:14 pm
Just for you, bikini worm.
Supposedly the ClearClick feature in NoScript protects against clickjacking. I wouldn’t know, since I just ignore crap like that anyway.
November 23rd, 2009 at 7:43 pm
Um, he found by “clicking” on it!!
November 23rd, 2009 at 9:45 pm
@Michael
Looking at the kind of girls in bikinis you look at, it’s not a surprise you ignore it.
November 24th, 2009 at 5:07 pm
I’m assuming that it is the stylesheets that allow for actual page content to be hidden from the viewer? If this is the case, then when in doubt (and in Firefox at least) Menu->View->Page Style->No Style
This should remove the CSS, and mess up the page - but at least any hidden content will get shown.
November 30th, 2009 at 7:36 am
Another monumental contribution of Gavi Evron to infosec community.
December 16th, 2009 at 12:08 pm
The last sentence in your post says “biniki” instead of “bikini”