Click Jacking: Another good reason to switch to Firefox

[FlyingPenguin]

This web page hack is absurdly simple, and it's not really an exploit - just a side effect of Web 2.0.

Basically using either Flash, HTML iFrame or CSS you can craft a web page that is actually a layer on top of another entirely different secure website that's underneath in another invisible layer.

So for example let's say you have a MySpace account and you have the password stored in your browser so you automatically log on to MySpace. If you go to a fraudulent page using this hack that has the MySpace login hiding in a layer under it, you can be conned into clicking on a box that actually logs you into MySpace, then that fraudulent page can run a script to change your password and send it to the hacker.

Almost any site that allows password stored logins is susceptible (and this is why most bank sites will NOT allow you to store your password). This threat has been known about for 2 or 3 years but not discussed much until a security firm did some research on it recently and discovered it was much more serious than previously believed. Adobe recently patched their Flash player to make this harder to do with Flash, but you can still do it with HTML or CSS.

Go here for an excellent (and harmless) example: http://snipurl.com/clickjack

Now Firefox itself doesn't protect you against this threat but Firefox with the NoScript plugin does. EVEN IF YOU ENABLE ALL SCRIPTS GLOBALLY NoScript will block this threat and also cross-site scripting (another serious exploit) by default.