An apparent clickjacking, or UI redress vulnerability, in Google’s Chrome web browser could make it possible for attackers to glean users’ e-mail addresses, their first and last names and other information according to recent work done by an Italian researcher.
Luca De Fulgentis, who writes about security for Nibble Security’s blog, detailed the issue earlier this week, along with another separate data extraction method.
De Fulgentis shows how a user's information can be extracted with the help of a malicious page using information on a page from Google’s support forums. If logged in, users’ e-mail addresses, names and profile picture URL can be extracted from the browser via support.google.com, while similar user information can be extracted from web resources belonging to Microsoft’s Live.com and Yahoo!’s Profiles pages.
De Fulgentis explains another data extraction technique: a two-step drag and drop method that relies on users being tricked into letting Chrome publish their data publicly.
