Fixes Released (and More Promised) For "Clickjacking" Exploits 70
An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."
Re:Has... (Score:3, Informative)
Anyone actually seen a POC of clickjacking? I know I haven't...
Yes. I've run across it on GCW, MSNBC and Wowhead through 3rdparty advertisers. It's already in the wild, the only thing that stopped it was noscript.
Re:Why does flash (Score:1, Informative)
People use it here for American Sign Language work. They sign into the webpage, it turns on the cam, they sign it up, and it's stored on the server for their instructor or collaborator to view/grade/whatever.
Re:Has... (Score:5, Informative)
Just because I had to hunt for the image:
http://bay01.imagebay.com/bay.php?view=61388_poshijack.jpg [imagebay.com]
Re:Are they saying this end-of-the-internet threat (Score:4, Informative)
Any form of invisible link, invisible button, link or button in an iframe, getURL() call in Flash, or JavaScript handler for any normally non-clickable item that makes you go somewhere, yeah.
Re:NoScript (Score:4, Informative)
apparently, feature suggestions should be posted to this forum http://forums.mozillazine.org/viewtopic.php?t=826005 [mozillazine.org]
'temporarily allow site in tab' and 'temporarily allow all in tab' are features i'd suggest, but i'm too lazy to sign up for a forum and post there.
being specific to a single tab would be nice, it might add to the size of the engine, but again it would make annoying broken ad supported sites like pogo that require 26 separate sites to be 'allow' to properly load a webgame... no, i don't play pogo, but i disabled noscript from one of my parents computers so she could use pogo. I checked to see if i could just add to the white list, but that basically defeated the point of a white list, so it was disabled.
on windows it's no big deal, she uses ie, and i use firefox, but on their linux system, which she rarely uses, except when there are issues with the other computer... well, it has to stay set so she can play pogo on it if needed.