false positive (i believe) on Capital One online
-
malvao
false positive (i believe) on Capital One online
I get a false positive clickjacking attempt on: https://servicing.capitalone.com/C1/Login.aspx I've reported the bug a few times. This is the number for one of those times: 446363. Also I use LastPass, so I don't know if that has anything to do with the problem. Any help would be appreciated, thanks.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: false positive (i believe) on Capital One online
Yes, it's apparently due to lastpasss graying out the underlying form.
Is there any way to disable this "shadowing" effect?
However, you can work-around by adding the "servicing.capitalone.com" (without quotes) to the noscript.clearClick.exceptions about:config preference.
Is there any way to disable this "shadowing" effect?
However, you can work-around by adding the "servicing.capitalone.com" (without quotes) to the noscript.clearClick.exceptions about:config preference.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
-
malvao
Re: false positive (i believe) on Capital One online
Hello, I tried the workaround changing the about:config setting but it didnt work. I think the reason is because the login request actually goes through "login.capitalone.....somethingsomthing" (the noscript warning doesn't let me see the complete adress) not 'servicing.capitalone.com'. My question is if I add "getit *.capitalone.com" under the clearclick exceptions, I'm I making myself vulnerable to someone that could possible make a fake address like: fake.capitalone.com or something like that?
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)