"Clickjacking" Security Flaw Affects All Major Browsers

• Author: admin
• Filed under: Tech News
• Date: Sep 28,2008

It’s yet another browser flaw, but unlike others, it’s not isolated to one, or two of the browsers out there. According to a security researcher, it’s a flaw — or rather, a class of flaws — common to every major web browser.

Originally, Jeremiah Grossman and Robert Hansen planned to reveal details on the exploit at the Open Web Application Security Project (OWASP) in New York City this week. However, after discovering that it also affected an Adobe product, and after working with Adobe, it was decided to hold off on revealing the details until both Adobe and browser vendors had a chance to work on fixes.

Because of that, details are sketchy, but we do know that the term “clickjacking” refers to a process by which a user is made to click on a link without his or her knowledge. The United States Computer Emergency Readiness Team (US-CERT) warned on Friday:

US-CERT is aware of public reports of a new cross-browser exploit technique called “Clickjacking.” According to one of the reports, Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page.

Grossman describes the exploit as follows:

“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”

What’s the workaround, until the browser vendors make fixes? Well, it appears the only safe way to block this type of behavior is to use the NoScript addon with Firefox or other Mozilla-based browser (e.g., Flock). NoScript allows JavaScript, Java, Flash and other plugins and scripted content to be executed only by web sites that the user permits (whitelists).

The developer of NoScript notes that:

For 100% protection by NoScript, you need to check the “Plugins|Forbid iframe” option.

Obviously, this wouldn’t be something I would recommend to most, as it would prove tedious and confusing. However, the researchers indicated that, in addition to Adobe, they discussed this with both Microsoft and Mozilla and the two organizations independently agreed that this is a tough problem — with no easy solution yet.

Hang onto your hats, and don’t visit any questionable sites.