This has been used in the past to trick a user into clicking through a Flash security dialog, allowing the site owner to secretly access a user’s web cam and microphone. A patch was issued for Flash that doesn’t allow the camera to be accessed in certain scenarios, but as James Padolsey illustrates with a Twitter Clickjack attack, there are numerous other ways for this trick to be used to fool a user.
Using the basic technique of positioning an iframe over a button coupled with Twitter’s ‘status’ URL parameter I have created a small demo which shows you just how serious (and annoying) this could be!
What does this mean? It means anyone can update your Twitter status without you knowing! Actually, it’s YOU that’s updating it, you just don’t know at the time.
This is a pretty harmless example but I can imagine it being used for more sinister endeavours!