New Threat: 'Clickjacking'

[the stranger]

http://news.yahoo.com/s/nf/20081008/bs_nf/62355

 

Web Surfers Face Dangerous New Threat: 'Clickjacking'

 

Frederick Lane, newsfactor.com Wed Oct 8, 4:47 PM ET

 

Internet and Web browser security experts are sounding the alarm about a new type of malicious attack called "clickjacking," a technique that can be used to dupe Web surfers into revealing confidential information while clicking on seemingly innocuous Web pages. Among other things, a clickjacking attack can be used to take control of a computer's Webcam and microphone without the knowledge of the user.

 

Clickjacking has been identified as a vulnerability for the Adobe Flash player, as well as for every major browser, including Firefox, Internet Explorer, Opera, Safari and even the newly released Google Chrome.

 

"It is a very serious problem," said Giorgio Maone, the author of a widely praised free Firefox extension called NoScript, which blocks potentially malicious scripts from running in the Firefox browser.

 

"Clickjacking is a very simple attack to build, and now that the details are out, any script kid can try it successfully," Maone warned. "There's no estimate to the number of trap sites, and it's unlikely that we will see any credible report about the number of sites using this technique, because there are literally infinite ways to implement such an attack, therefore no signature-based scanning can detect it automatically."

 

Unauthorized Access to Information

 

The growing severity of the clickjacking problem was identified by Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security. The two were scheduled to speak publicly about their discovery last month at the Open Web Application Security Project NYC AppSec conference in New York, but postponed their talk in order to give Adobe and browser companies a chance to come up with a solution.

 

Reacting quickly to the announcement, Adobe released a security advisory Tuesday, describing the threat as "critical" and instructing users on how to turn off Flash access to cameras and microphones.

 

"We have just posted a Security Advisory for Flash Player," wrote David Lenoe, Adobe's security program manager, on the Adobe security blog, "in response to recently published reports of a 'clickjacking' issue in multiple Web browsers that could allow an attacker to lure a Web browser user into unknowingly clicking on a link or dialog. This potential 'clickjacking' browser issue affects Adobe Flash Player's microphone and camera access dialog." Lenoe said a patch for Flash would be ready by the end of October.

 

Unfortunately, as Hansen and other researchers have pointed out repeatedly, Flash clickjacking is only one of the variants of this problem. In a lengthy blog posting about the issue, Hansen said that "there are multiple variants of clickjacking. Some of it requires cross-domain access, some don't. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to preload data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

 

A Structural Problem of the Web

 

Hansen warned that it will be challenging to come up with a comprehensive solution to prevent the clickjack threat because of the nature of the code that underlies the Internet.

 

Maone agreed. "This problem comes from features which are integral to the modern Web as we know it," he said, "and especially from the ability of Web pages to embed arbitrary content from different sites, or to host little applications (applets) through plug-ins like Adobe Flash, Java or Microsoft Silverlight."

 

Maone predicted that a general browser fix won't be developed any time soon, since the real solution lies in developing a general consensus about changing existing Web standards in the various Internet standardization groups.

 

Copyright

[Ed A.]

Don't they always blow these things out of proportion? If someone attempted to take control of the camera in my Mac, the little green light next to the camera would come on and it would be very obvious that it was in use.

[Johnny-Boy]

Yeah, I starting noticing clickjacking about a month okay. Damn, I never know where I'm going to end up after clicking. Damn, damn, damn bas-turds.

 

I'm glad I have a name for that activity now - thanks Stranger.

 

John:cop:

[Ed A.]

 

Damn, I never know where I'm going to end up after clicking. Damn, damn, damn bas-turds.

 

 

Reminds me of a web version of the Infinite Improbability Drive.

[Dean Roddey]

Wasn't there a hole (actually default setting that few people probably changed) in a version of the Sun OS back in the day, so that by default the camera was open to anyone? I bet a lot of folks saw a lot of interesting things at work until that one got taken care of. A good reason not to have a camera connected to your computer I guess.

[blue2blue]

This is being treated as a very serious -- and very broad -- threat.

 

Sadly, the days when it was only Windows users who had to worry about security threats are over; the Mac's recent success has increased it as a target for socially engineered threats and now specific zero day threats like clickjacking.

 

Here's a compendium of info on clickjacking from the fine folks at MacInTouch:

 

 

Wednesday, October 8, 2008 16:56 EDT Security Clickjacking is the latest security problem on the Web, and we have some resources and information for starting to deal with it: FAQ: Clickjacking -- should you be worried? "Think of any button on any Web site that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue.... The list is virtually endless, and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to." Flash Player workaround available for "Clickjacking" issue Adobe is aware of recently published reports of a 'Clickjacking' issue in multiple web browsers that could allow an attacker to lure a web browser user into unknowingly clicking on a link or dialog. It has been determined that this potential "Clickjacking" issue affects Adobe Flash Player. Adobe is working to address this issue in an upcoming update to Flash Player. Adobe works to pre-empt a 'clickjacking' security nightmare Years ago, in the effort to make Web page elements more dynamic, developers created ways to give floating frames such as

The idea of clickjacking has been around for a while -- a primitive variation was used to create MySpace pages with a background image that was one big, bad link.

 

 

BTW -- all you Google Chrome fans -- I like the new browser, too -- but it's a bit of a security nightmare w/ regard to clickjacking and other threats:

Google Chrome Browser Vulnerable to Security Flaw

Google Patches Security Vulnerabilities in Chrome

Memory exhaustion DoS vulnerability hits Google’s Chrome

Google downplays Chrome’s carpet-bombing flaw

[the stranger]

The porn spammers still do that. Those so called "friend requests" that are actually porn spam.