-
Oct8
Clickjacking, The New Threat For Web Surfers
If you think your computer is attack-proof merely because you had the latest and licensed antivirus software, it is time to worry. Clickjacking, has come to light and has caused enough anxiety among the security researchers, a new browser vulnerability.The worrying fact is that none of the popular browsers, including the newly launched Google Chrome, besides Internet Explorer, Firefox, Safari and Opera are free from this exploit. The only browser which is reported to be immune to this attack is the lesser-known Lynx which incidentally is a text-only browser.
A security advisory issued by Adobe with regard to its Flash Player states that it could be subject to clickjacking attacks and hijack webcams as well. Clickjacking enables an attacker to force a user click on an invisible link, obviously without his knowledge or consent. Once a user clicks the link unknowingly, the hacker takes over the control.
When you might think you are clicking on your bank funds transfer link, or saving a favourite link at Digg, or Facebook application, the reality could be entirely different, and dark.
So if you havn’t heard of it, it looks like a variant of the clickjacking vulnerability was outed before Rsnake and Jeremiah Grossman could present it publicly. An attack can invisibly hover these virtual buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something else the attacker wants them to, security experts have reported the vulnerability.
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if users click on a Web page, they may actually be clicking on content from another page,
Using a frame buster script will protect a user who uses cross-domain scripting. However, even a frame buster script will not prevent the attack if it’s on a site the user is visiting.
According to reports the vulnerability is expected to be so widespread that almost everyone could be affected by it as attackers can potentially get the users to click a button (thus the name clickjacking) whereas they may not be able to get them to click a button in JavaScript.
There is however no viable foolproof defence against clickjacking at this time, the users have been advised to use browsers with the NoScript add-on installed, wherever possible. While this is not the solution, they said it will work in almost all such cases until a more permanent patch is found to plug the vulnerability.
Since I am not a developer, so I don’t want to go any further than that, if I hear anything, I will post an update. In the meantime if you have any news please leave a comment, have your say.
14 Responses to “Clickjacking, The New Threat For Web Surfers”
-
Goji Juice October 9th, 2008 at 6:14 am
Nice and informative article…
-
Thyhack October 9th, 2008 at 6:35 am
Shit, i am going to get jacked up,
Clickjacked up
-
Interesting concept. Since this is a Flash issue, I believe that using FlashBlock https://addons.mozilla.org/en-US/firefox/addon/433 with Firefox would block is, since the hidden flash button would not load.
…
Just tested that with the proof-of-concept from ZDNet. It doesn’t. That’s just wrong. Thanks for the warning.
-
http://www.adobe.com/support/security/advisories/apsa08-08.html
Found the advisory if you are interested. Adobe states that changing settings will protect you, but I’m not sure. I thought I would share just in case.
-
This sounds fake and ill researched. In what way does the attacker redirect you to a url leading to the “invisible link”? Why require you to click anything. It is my understanding that anymore people have significantly superior ways of phishing your information than “clickjacking”. Where do you get your information?
-
never saw popup like banners? if you click on the “X” to close it for example, that could be the invisible link…
-
Why exactly is the poster for that crappy fauxhacker movie doing up there at the top of the article?
That alone makes me less likely to believe in this ‘clickjacking’. -
Robin Bal October 9th, 2008 at 7:57 am
Hi Joseph,
Thanks for your comment and sharing some useful information.
Take care and cheers
-
Tumblemoose October 9th, 2008 at 8:31 am
I’m sorry but this article is so poorly written, I’ve got nary a clue about what the article means.
It would be nice to see a re-write so we all could understand what this is about.
Thanks.
George
-
Dwayne from Probably Sucks Blog October 9th, 2008 at 4:21 pm
This sounds like something I could use for some Blackhat SEO, yes. I wonder how long it’ll take Adobe to fix this issue.
-
Robin Bal October 9th, 2008 at 6:47 pm
Hi George,
No one else seems to think this article is poorly written, oh yeah don’t understand what this article is all about, well it is pretty well linked and should be able give you the answers are looking for. Surely you don’t expect a part of Wikipaedia here. Thanks for our comment anyway.
Take care and cheers,
-
Robin Bal October 9th, 2008 at 6:50 pm
@ Y-aji. Where do I get this information? You might like to check the links in the article and you probably will get your answer. Thanks for your visit and comment.
Take care and cheers.
-
Robin Bal October 9th, 2008 at 6:53 pm
@ Jay. Y
-
Robin Bal October 9th, 2008 at 6:55 pm
@ Jay. You may not like the poster on top there, but it is suggested you take clickjacking a little seriously.
Take care and cheers
