Forgot your password?
typodupeerror
Security Internet Explorer Mozilla The Internet

Fixes Released (and More Promised) For "Clickjacking" Exploits 70

Posted by timothy
from the no-death-penalty-for-online-jerks dept.
An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."
This discussion has been archived. No new comments can be posted.

Fixes Released (and More Promised) For "Clickjacking" Exploits

Comments Filter:
  • I've solved this problem by removing my mouse from the computer. Now I never click anything malicious! Or anything at all... Its all wonderfully frustrating.
  • This stuff is why I use NoScript and haven't even installed the Flash plugin addon to Firefox. If I REALLY want to view something in flash and I trust the content provider, I'll fire up IETab.

    Not perfect, but a far sight safer than Joe Q. User.

    • Re: (Score:3, Interesting)

      by plover (150551) *
      I have the Flash plugin, but I also run FlashBlock [mozdev.org]. It's awesome. No crappy flashy anything unless I actually want it, and then it's only a few mouseclicks away. That plus NoScript [noscript.net] meant it took me about half a dozen clicks before I had both the permission and the ability to run the clickjacking demo. I feel pretty safe with Firefox.
      • by id (11164)

        That would be great if flashblock itself wasn't susceptible to clickjacking...

    • Why not just use flashblock for firefox instead of firing up IE? You can enable/disable individual flash objects on the fly with flashblock.

      In IE you have to let everything load, which is less secure. If the page is full of flash adverts it'll also consume more CPU cycles.
  • Help (Score:5, Funny)

    by conner_bw (120497) on Thursday October 09, 2008 @05:24PM (#25320757) Homepage Journal

    Dear internet, i'm trying to give this article a "thumbs up" but now my browser is filming me nude? This isn't what I had in mind when I signed up for web 2.0.

    • by Loopy (41728)

      It's a .0 release. Haven't you learned anything from all the linux threads here?

  • Like I need yet another NoScript update this week.
    • by Ant P. (974313)

      Normally I wouldn't mind being told to update every 24 hours, but the way NoScript does it is completely fucking retarded.
      What's the use of Firefox having a "show more information" button in the addon manager when all it displays is an URL to an ad-filled page with a 2 line changelog? And to rub it in, the info box isn't a real textarea so you can't just copy and paste the link.

  • ..even have a facility for the webcam and mic anyways?

    • Re: (Score:1, Informative)

      by Anonymous Coward

      People use it here for American Sign Language work. They sign into the webpage, it turns on the cam, they sign it up, and it's stored on the server for their instructor or collaborator to view/grade/whatever.

    • by marxmarv (30295)

      Because all technological advancement is driven by adult media?

    • my friend used it in his interactive media class to simulate the vision of dogs. you run the flash application and it filters the cam feed to only display the visual spectrum dogs are capable of seeing.

      i don't think there's anything inherently wrong with giving flash access to webcam/mic. it creates opportunities for a lot of useful web apps. however, i do think that flash browser plugins need to warn users and have them confirm that they actually want to turn on their webcam/mic.

  • Not only am I an exhibitionist, I'm also unbelievably ugly! You won't be 'clickjacking' to my warped, drooling countenance!

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Goddamnit, mom! I thought I told you not to post on the same websites as me? And don't think I haven't seen you on adultfriendfinder either.

  • I was under the impression that Flash runs with full privileges and can basically do anything if you have the plugin installed. Is this not the case?
    • by argent (18001)

      The plugin runs with full privileges.

      The scripts (in Actionscript, a version of ECMAscript (nee Javascript)) run in a sandbox.

  • NoScript (Score:5, Interesting)

    by HTH NE1 (675604) on Thursday October 09, 2008 @05:57PM (#25321179)

    Now if only NoScript, when I choose (for example) "Temporarily allow doubleclick.net", granted that allowance only on the page I'm viewing and its descendants and not in every open tab in every window to every site their scripts are on!

    • Re:NoScript (Score:4, Informative)

      by kesuki (321456) on Thursday October 09, 2008 @07:39PM (#25322329) Journal

      apparently, feature suggestions should be posted to this forum http://forums.mozillazine.org/viewtopic.php?t=826005 [mozillazine.org]

      'temporarily allow site in tab' and 'temporarily allow all in tab' are features i'd suggest, but i'm too lazy to sign up for a forum and post there.

      being specific to a single tab would be nice, it might add to the size of the engine, but again it would make annoying broken ad supported sites like pogo that require 26 separate sites to be 'allow' to properly load a webgame... no, i don't play pogo, but i disabled noscript from one of my parents computers so she could use pogo. I checked to see if i could just add to the white list, but that basically defeated the point of a white list, so it was disabled.

      on windows it's no big deal, she uses ie, and i use firefox, but on their linux system, which she rarely uses, except when there are issues with the other computer... well, it has to stay set so she can play pogo on it if needed.

  • by Ungrounded Lightning (62228) on Thursday October 09, 2008 @06:50PM (#25321787) Journal

    Are they really saying this newly-uncovered, ultra-hyped, horrible, end-of-the-internet, cross-browser, gotta-fix-the-world-but-it's-SO-hard, threat... ... was INVISIBLE BUTTONS?

  • It's always kind of creeped me out that Flash even gives applets access to the microphone and webcam, and I never enable those capabilities in the program.

    Yes, I understand the point of it, I just think it's creepy.

    • by cerberusss (660701) on Friday October 10, 2008 @01:44AM (#25324617) Homepage Journal

      It's always kind of creeped me out that Flash even gives applets access to the microphone

      Definitely creepy. One time I visited a page with a Flash-based advertisement from (apparently) a French company. When my mouse cursor inadvertently moved over the Flash applet, some kind of contact was made with the company. This French guy was screaming into his microphone "'ello?? 'ELLOO??". And he obviously saw through my cam because he continued: "Bonjour, sire! Whas arr yous eatingue?" just when I was shoving a sandwhich in my pie-hole.

  • In the case of iframes abuse, wouldn't it make sense for browsers to refuse to allow iframes to show pages which include some sort of "no_remote_display" tag? So if your page has a form which could potentially be abused, add the tag and browsers which recognise it will only show the page in it's entirety, and not as part of another page or from another domain?

    I realise that this may well be far too simplistic and people will probably point out a dozen reasons why it won't work and would break all sorts of t

To the systems programmer, users and applications serve only to provide a test load.

Working...