access2godzilla wrote:As I said, everything is theoritically possible, but in practical life: not so much. I've never bought things from Amazon, but I assume that the attacker is going to have a hard time pulling it off, since it would possibly involve:
<snip>
2. Somehow make me acutally make the payment, detect my payment processor, enter my credit card details and make me pay.
Perhaps you don't realise that Amazon allows you - even encourages you - to set up all of your credit card details in your account, so that you can just click on one button and have something charged to your account and shipped to you. One click, done. It's part of their business model.
Flash player config page:
The system settings always overrides the settings of the online settings page for versions >= 10.3 : https://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html#124401
Just an example. It was an early clickjacking target. There are other possibilities, eg cross-site request forgery that bypasses the usual token-checking defences (because it may be a form that was loaded from the legitimate site). The point is, making people click on things that they didn't intend can definitely be a security problem, not just a nuisance.