Slashdot Log In
Fixes Released (and More Promised) For "Clickjacking" Exploits
Posted by
timothy
on Thursday October 09, @05:04PM
from the no-death-penalty-for-online-jerks dept.
from the no-death-penalty-for-online-jerks dept.
An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."
Related Stories
[+]
Alarm Raised For "Clickjacking" Browser Exploit 308 comments
Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"
Firehose:Info, Fixes Released for "Clickjacking" Ex by Anonymous Coward
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Original fix (Score:2, Funny)
Help (Score:5, Funny)
Dear internet, i'm trying to give this article a "thumbs up" but now my browser is filming me nude? This isn't what I had in mind when I signed up for web 2.0.
Reply to This
Re: (Score:2)
It's a .0 release. Haven't you learned anything from all the linux threads here?
Re: (Score:2)
Your mother must be so proud
Yes, she is. Some people aren't prudes and understand humor when they see it.
Of course, me being nude on Slashdot not offending you in the first place kind of makes me question your understanding of reality.
Why does flash (Score:2)
..even have a facility for the webcam and mic anyways?
Re: (Score:2)
Because all technological advancement is driven by adult media?
The jokes on you, hackers! (Score:2, Funny)
Not only am I an exhibitionist, I'm also unbelievably ugly! You won't be 'clickjacking' to my warped, drooling countenance!
I am confused (Score:2)
NoScript (Score:5, Interesting)
Now if only NoScript, when I choose (for example) "Temporarily allow doubleclick.net", granted that allowance only on the page I'm viewing and its descendants and not in every open tab in every window to every site their scripts are on!
Reply to This
Re:NoScript (Score:4, Informative)
apparently, feature suggestions should be posted to this forum http://forums.mozillazine.org/viewtopic.php?t=826005 [mozillazine.org]
'temporarily allow site in tab' and 'temporarily allow all in tab' are features i'd suggest, but i'm too lazy to sign up for a forum and post there.
being specific to a single tab would be nice, it might add to the size of the engine, but again it would make annoying broken ad supported sites like pogo that require 26 separate sites to be 'allow' to properly load a webgame... no, i don't play pogo, but i disabled noscript from one of my parents computers so she could use pogo. I checked to see if i could just add to the white list, but that basically defeated the point of a white list, so it was disabled.
on windows it's no big deal, she uses ie, and i use firefox, but on their linux system, which she rarely uses, except when there are issues with the other computer... well, it has to stay set so she can play pogo on it if needed.
Reply to This
Parent
Are they saying this end-of-the-internet threat... (Score:3, Insightful)
Are they really saying this newly-uncovered, ultra-hyped, horrible, end-of-the-internet, cross-browser, gotta-fix-the-world-but-it's-SO-hard, threat... ... was INVISIBLE BUTTONS?
Reply to This
Re:Are they saying this end-of-the-internet threat (Score:4, Informative)
Any form of invisible link, invisible button, link or button in an iframe, getURL() call in Flash, or JavaScript handler for any normally non-clickable item that makes you go somewhere, yeah.
Reply to This
Parent
Flash and microphones and webcams, oh my. (Score:3, Interesting)
It's always kind of creeped me out that Flash even gives applets access to the microphone and webcam, and I never enable those capabilities in the program.
Yes, I understand the point of it, I just think it's creepy.
Reply to This
Re:Flash and microphones and webcams, oh my. (Score:4, Funny)
It's always kind of creeped me out that Flash even gives applets access to the microphone
Definitely creepy. One time I visited a page with a Flash-based advertisement from (apparently) a French company. When my mouse cursor inadvertently moved over the Flash applet, some kind of contact was made with the company. This French guy was screaming into his microphone "'ello?? 'ELLOO??". And he obviously saw through my cam because he continued: "Bonjour, sire! Whas arr yous eatingue?" just when I was shoving a sandwhich in my pie-hole.
Reply to This
Parent
Re: (Score:3, Interesting)
Well, an example is the "Get Add-on" link on the NoScript website: clicking it causes an iframed link from Mozilla's add-on page to be "clicked" instead.
Clickjacking's new in terminology only.
Re: (Score:2, Insightful)
But that's the user clicking on a visible item, simply embedded in the page. It's misleading, sure! But it's not the same as having a user click anywhere and it hitting an invisible item that does something completely unrelated to whatever's displayed.
Re:Has... (Score:4, Funny)
I was describing this article to my boss, and here is what he said to me verbatim. My Emp. added.
So, should I be afraid of my web browser clickjacking me off of my normally visited websites to some spyware?
Reply to This
Parent
Re: (Score:3, Informative)
Anyone actually seen a POC of clickjacking? I know I haven't...
Yes. I've run across it on GCW, MSNBC and Wowhead through 3rdparty advertisers. It's already in the wild, the only thing that stopped it was noscript.
Re:Has... (Score:5, Informative)
Just because I had to hunt for the image:
http://bay01.imagebay.com/bay.php?view=61388_poshijack.jpg [imagebay.com]
Reply to This
Parent
Re: (Score:2)
Well, there's a POC linked in TFA. I tried it. It looked like it was going to work but NoScript warned me about it. Pretty cool.
NoScript is my friend.
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:3, Funny)
i.e. for banking.
and you expect us to trust you with security advice? Please!
Re: (Score:3, Insightful)
This attack makes it possible for third parties to trick you into performing actions on third-party sites, by overlaying them invisibly on something you think you want to click. An attacker could overlay a seemingly innocuous game, for instance, with an administrative panel from a common website. The settings panel would be invisible (zero or low alpha), but still would receive mouse clicks. When the "game" asks you to click two seemingly random points, you're actually clicking the "Delete my account" check
Re: (Score:3, Insightful)
When the "game" asks you to click two seemingly random points,
s/random/arbitrary/