Yeah, only the username. Still, that seems like a pretty hard thing to blind guess at in most attack scenarios if you can't get it through the cifs connect. My reading is that you couldn't brute force it, you'd have one chance to set up the iframe with the cookie file in it which needs the username, or at least just one chance per clickjacked drag action that the user executes for you.

If it's a targeted attack I suppose you have a better shot, are most home windows user names set to the user's full name like "John Doe"?

> My reading is that you couldn't brute force it, you'd have one chance to set up the iframe with the cookie file in it which needs the username, or at least just one chance per clickjacked drag action that the user executes for you.

But if you made some sort of Javascript "game" (which used drag and drop) and required the users to register their name first, then you should have a fairly high chance of guessing their username without CIFS.

That's my thinking; it seems like it'd be most relevant in a targeted attack. Presumably there aren't so many patterns of usernames that you'd run out of chances to get one.

It's clever! I don't want to take anything away from it, except that I think it's been written up somewhat breathlessly.

Grossman probably has a good point that most applications aren't even superficially protected against clickjacking, and so this isn't going to be a common attack any time soon.

I seem to recall at least one XP box that I've set up that came with a preconfigured account; if e.g. Dell does/did this, there may be a lot of such accounts out there...