Abusing HTML5 permissions on browsers
The “clickjacking” attack provides an evil page or a way to trick into performing undesired actions such as deleting or posting a message on another website by clicking on a concealed link. Moreover, This attack can trick users to expose their credentials while they believe they are typing their sensitive information, but are instead of typing into an invisible frame controlled by the attacker. This can be achieved by a carefully crafted combination of stylesheets, iframes, and text boxes. This vulnerability has been found on many popular websites including Twitter, Facebook, Gmail, Paypal, and other sites.
Frequently, websites which are designed insecurely are the main targets of this attack. However, HTML5 permissions on browsers have this potential to be abused by deceiving users into clicking and allowing a specific API. For instance, if a user unintentionally allows a browser to access his webcam or microphone, this would cause an enormous privacy concern.
- A literature review of previous vulnerabilities
- Testing different browsers on desktop, tablet, and mobile
- Extracting different features of each browser