been trying to comment on Chris Shiflett’s post on the twitter “Don’t Click” debacle and can’t seem to get authenticated through openid. so having to post my reply here (below).
cavaet: i’m not an expert on anything and a n00b at a lot of things
liked the article, however I want to disagree that it isn’t a csrf attack since “The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have authenticated” (according to wikipedia [oh no, i’m that guy. *sigh*]). @ramsey said it didn’t affect him because he wasn’t logged in on the website.
It seems to me that it used clickjack ui redressing to carry out the authentication exploit.
Want to know the funny thing? The only reason I logged into the website was to follow @shiflett.