It looks like the bug never saw malicious use in the wild, because the developers who noticed it alerted Apple and kept the bug secret while it was fixed. Like other clickjacking attacks, the most likely use is to get a user to inadvertently click an ad. Although, an even more dangerous example is shown to harvest passwords.

If the StreetView and Maps additions in the latest iPhone software wasn’t enough to get you to download the free update, let this attack be reason enough.

Though the bug was apparently discovered by developer Wayne Pan, it was submitted by jQuery creator John Resig. Resig just keeps showing up for his various work. In addition to jQuery, he’s on the Firebug team at Mozilla, performance testing browsers and creating JavaScript animations.

See also:

• A Look at the ‘Clickjacking’ Web Attack and Why You Should Worry
• Hackers Are Watching You: Flash Clickjacking Vulnerability Exposes Webcams and Mics
• Flash Player 10 Solves Some, but not all ‘Clickjacking’ Attacks