Page 1 of 1
false positive (i believe) on Capital One online
Posted: Wed Oct 14, 2009 5:33 am
by malvao
I get a false positive clickjacking attempt on:
https://servicing.capitalone.com/C1/Login.aspx I've reported the bug a few times. This is the number for one of those times: 446363. Also I use LastPass, so I don't know if that has anything to do with the problem. Any help would be appreciated, thanks.
Re: false positive (i believe) on Capital One online
Posted: Wed Oct 14, 2009 8:04 am
by Giorgio Maone
Yes, it's apparently due to lastpasss graying out the underlying form.
Is there any way to disable this "shadowing" effect?
However, you can work-around by adding the "servicing.capitalone.com" (without quotes) to the noscript.clearClick.exceptions
about:config preference.
Re: false positive (i believe) on Capital One online
Posted: Sun Oct 18, 2009 8:11 pm
by malvao
Hello, I tried the workaround changing the about:config setting but it didnt work. I think the reason is because the login request actually goes through "login.capitalone.....somethingsomthing" (the noscript warning doesn't let me see the complete adress) not 'servicing.capitalone.com'. My question is if I add "getit *.capitalone.com" under the clearclick exceptions, I'm I making myself vulnerable to someone that could possible make a fake address like: fake.capitalone.com or something like that?