Bugs :  K-Meleon Forum
You can talk about issues with k-meleon here.  
Clickjacking
Posted by: ndebord
Date: January 30, 2009 10:57AM

Anybody know if this clickjacking flaw also hits K-Meleon, along with Chrome and FF?

http://news.zdnet.com/2100-9595_22-264761.html

N

Options: ReplyQuote
Re: Clickjacking
Posted by: Fred
Date: January 30, 2009 03:18PM

It may very well be that K-Meleon is vulnerable to
clickjacking. Only disabling Javascript can make you
more or less secure. Using NoScript may help also,
but this is not yet ascertained.
Some details here :

http://www.heise-online.co.uk/news/Popular-browsers-continue-to-be-vulnerable-to-clickjacking-attacks-Updated--/112518

Fred

Options: ReplyQuote
Re: Clickjacking
Posted by: guenter
Date: January 31, 2009 09:12AM


Finally leads to a POC that uses onClick to substitute an URL, silly.

Fred's links ends with the comment of the NoScript dev.

p.s. Eyes-Only once said that it is up to the user to do dangerous things.

BTW.I go to my bank. Close my browser - then restart 2 I go downtown or... for...- like in real life.

My banker recommended it - surprised smiley



Edited 2 time(s). Last edit at 01/31/2009 09:17AM by guenter.

Options: ReplyQuote
Re: Clickjacking
Posted by: ndebord
Date: January 31, 2009 09:51AM

Fred,

My custom is to use Privacy Bar with Java and Javascript turned off unless it is a site I must use. So there is some comfort there. I wondered about how NoScript would handle new sites, which is the most likely place where problems would occur, so a list would not work?

N

Options: ReplyQuote
Re: Clickjacking
Posted by: Fred
Date: January 31, 2009 11:54AM

If you have whitelist containing only a few sites
that you believe to be trustworthy (or better, that
you think are watched closely and frequently by the
responsable webmaster), and give permissions to no
other site, you should be rather safe, but if you allow
scripting each time when you get stuck without javascript,
it depends on the anti-clickjacking power of NoScript,
which I cannot yet judge, how safe you are.
As Guenter said, it is advisable to clean cache and
history, close down and restart the browser before
doing an important action.
There may still be the possibility, that a bank site
has been changed, but then you could hold them
responsible for your damages.

Fred

Options: ReplyQuote
Re: Clickjacking
Posted by: caktus
Date: February 02, 2009 09:08PM

Might there be a way to type the url or click on a link with out it using the cache since clearing the cache each time is somewhat impractical?

Charlie

~~If it ain't broke, why screw it up?~~


Options: ReplyQuote
Re: Clickjacking
Posted by: desga2
Date: February 02, 2009 11:36PM

You can disable cache.

K-Meleon in Spanish

Options: ReplyQuote
Re: Clickjacking
Posted by: disrupted
Date: February 03, 2009 03:27AM

you can also use privacy mode profile:
http://kmeleon.sourceforge.net/forum/read.php?1,83391

Options: ReplyQuote
Re: Clickjacking
Posted by: JamesD
Date: February 03, 2009 06:07AM

Quote
caktus
Might there be a way to type the url or click on a link with out it using the cache since clearing the cache each time is somewhat impractical?

Maybe use this CommandID in some way.

ID_NAV_FORCE_RELOAD
Reload current page without cache query.

Options: ReplyQuote


K-Meleon forum is powered by Phorum.