Results 1 to 7 of 7

Thread: Clickjacking

  1. #1
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Clickjacking

    Very surprised that no one has mentioned this latest threat yet. It's quite serious.

    NoScript in FF has evolving protection against this.

    =============================
    Windows Secrets
    Top Story, October 16, 2008
    All browsers are vulnerable to clickjacking

    Stuart Johnston By Stuart J. Johnston

    The latest Internet threat cloaks Web links so a wayward click can download malware to your PC without your knowledge.

    What's worse, all browsers and other Web software are susceptible to clickjacking, but you can take steps to reduce the risk.

    Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

    By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links.

    The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in.

    "If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security," Ed Skoudis, a security instructor for the SANS Institute, told Windows Secrets. Skoudis is also co-founder of the security firm InGuardians.

    Full article:
    http://www.windowssecrets.com/2008/10/16/0...to-clickjacking

  2. #2
    Silver Lounger
    Join Date
    Oct 2002
    Posts
    1,993
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Clickjacking

    I was going to when I read a little about it on a Swedish IT-incident site in September, but then there were so little information. And with little information comes a situation were one cannot do or say much, and then I forgot. Good of you to mention.

    Without knowing so much about it, it initially seemed really hard to eliminate, and is; the only secure browser at the time was said to be Lynx. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

    But in the beginning as I said there were very little information coming out, it was supposed to be discussed by two researchers, (their blog posts on September 15: Robert Hansen and Jeremiah Grossman), at the NYC AppSec 2008 Conference, but it was cancelled.

    Yes, NoScript for Fx is doing a lot of development now. First, at the time, it was mentioned that it already had some sort of basic protection, if you forbid IFRAME etc.

    In the "news" some week after 15 September:
    Clickjacking: Researchers raise alert for scary new cross-browser exploit (zdnet blogs Sept 25th).
    And a follow up due to a reply from Giorgio Maone, developer/creator of NoScript:
    Firefox + NoScript vs Clickjacking (zdnet blogs Sept 25th).

    He said "NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous)" at the time.

    Then we are at around 7th October, and the sample code was circulating, exploiting Flash Player, so more details could be mentioned. Adobe was at the time working on solutions; Robert "Rsnake" Hansen again: Clickjacking Details (link mentioned in Windows Secrets).

    Adobe published a Clickjacking Security Advisory, also October 7th. And a Flash Player workaround.

    Then later came this: Flash Player update available to address security vulnerabilities, October 15, i.e. use workaround or move to ver. 10; or use workaround and wait for update to ver. 9 ("Adobe will be providing an update to Flash Player 9 for customers who cannot upgrade to Flash Player 10 in early November").

    At NoScript development really had got going, for a feature called "ClearClick" (anti-clickjacking independent from IFRAME and plugin content blocking), introduced in 1.8.2. At the time he (the developer of NoScript) wrote this: Hello ClearClick, Goodbye Clickjacking! October 8th (hackademix, the developer Giorgio Maone’s blog).

    And with all development comes small "bugs", false positives etc. I'm still on ver. 1.8.1.3 and was going to update to, say 1.8.1.9 at the time, but then came this and a lot of updates followed, so I'm waiting a bit. NoScript change log.

    For those interested in the subject and NoScript: Posts sorted under the Clickjacking Category at Giorgio Maone’s blog. In the beginning he mention other browsers as well.

    And finally some very sound comments: Rich Mogull at Securosis also discussed clickjacking around the time of the code circulating, the released proof of concept against Flash, the 7th: Clickjacking Details, Analysis, and Advice.

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Clickjacking

    I update NoScript upon request, so I feel a bit like an involuntary beta tester at the moment. <img src=/S/smile.gif border=0 alt=smile width=15 height=15> I think I saw one case in which making hidden objects opaque really wrecked the site, and the only way around it was to trust the site (or turn off clickjack protection globally). But otherwise, it seems to be fairly "transparent."

  4. #4
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Re: Clickjacking

    I've turned on the clickjacking options in NoScript for both non-trusted and trusted pages (default is only non-trusted).

    ClearClick protection on pages
    Opaque embedded objects on pages

    Haven't seen any problems so far by doing so.

  5. #5
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Boulder, Colorado, USA
    Posts
    231
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Clickjacking

    I've left my NoScript clickjacking options at default. But, I think I've noticed a marked slowdown
    (and sometimes getting stuck) in Firefox when NoScript is on (not as bad when the clickjacking options are unchecked),
    and I wonder if anyone else has. I'm not sure when it started either, it's taken me a while to catch on.
    Disabling NoScript (or using Safe Mode) speeds up FF considerably, but I think even unchecking the
    clickjacking options does. Not sure what to think.
    EDIT: I should mention that the ISP I'm on gives me marginal "broadband", and that might bring on the phenomenon
    that I think I'm seeing.

  6. #6
    5 Star Lounger ibe98765's Avatar
    Join Date
    Aug 2001
    Location
    Bay Area, California, USA
    Posts
    966
    Thanks
    19
    Thanked 4 Times in 4 Posts

    Re: Clickjacking

    I don't see any slowdown at all.

    I'd suggest that you build a new profile which might help.

    Also, what version of FF are you using? If 2.x, then suggest you go to 3.x before rebuilding the profile. Moving to 3.x eliminated regular crashing problems I was having with 2.x.

  7. #7
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Boulder, Colorado, USA
    Posts
    231
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Clickjacking

    My FF is 3.0.3. As I mentioned, and should stress, the internet connection is noisy, with considerable
    lost data. I have comparisons with an essentially brand new Mac with FF, and another PC.
    I probably should study the reasons for creating a new profile anyway (keeping all the old
    files and settings, I take it).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •