Fixes Released (and More Promised) For "Clickjacking" Exploits 70
An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."
Re:Has... (Score:2, Insightful)
But that's the user clicking on a visible item, simply embedded in the page. It's misleading, sure! But it's not the same as having a user click anywhere and it hitting an invisible item that does something completely unrelated to whatever's displayed.
Are they saying this end-of-the-internet threat... (Score:3, Insightful)
Are they really saying this newly-uncovered, ultra-hyped, horrible, end-of-the-internet, cross-browser, gotta-fix-the-world-but-it's-SO-hard, threat... ... was INVISIBLE BUTTONS?
Re:How is this new? (Score:3, Insightful)
This attack makes it possible for third parties to trick you into performing actions on third-party sites, by overlaying them invisibly on something you think you want to click. An attacker could overlay a seemingly innocuous game, for instance, with an administrative panel from a common website. The settings panel would be invisible (zero or low alpha), but still would receive mouse clicks. When the "game" asks you to click two seemingly random points, you're actually clicking the "Delete my account" checkbox and "Continue" button, for instance.
Off the top of my head, it's not a world-ender, just another problem like XSS or XSRF to be vigilant against. Possible solutions (from the top of my head) would be for sensitive form pages to have a framebusting script (although this doesn't help if JS is off), and require a password or CAPTCHA (a password could be phished around, but a CAPTCHA could work, since the fake site still has no actual way to read or write the legit site).
Re:How is this new? (Score:3, Insightful)
When the "game" asks you to click two seemingly random points,
s/random/arbitrary/