Last month Jeremiah Grossman and Robert “RSnake” Hansen brought to the world’s attention a scary new cross browser exploit being termed as Clickjacking. In their own words :
Alas, it turns out that some of the issues we found weren’t just a little bad – they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof – we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And we’ve only worked with a few vendors. So… yah. It’s pretty bad.
So what is clickjacking? Essentially the malicious webpage will load external webcontent in a frame and hide it beneath another layer of content. Now when the user interacts (clicks on links) with the webpage, he would actually be interacting with the hidden content. In this technique even the url displayed in the statusbar can be forged. In Grossman’s words :
“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls,” Grossman said in an e-mail on Friday. “Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”
This problem affects all modern browsers and reportedly browser vendors have been aware of this problem since 2002. Several browser plugins like Java, Silverlight or Flash can also be used for clickjacking. In fact according to experts Flash games are probably one of the best ways to implement clickjacking. An unnamed blogger has created a proof of concept game that can turn your PC into a surveillance zombie by taking over control of your Camera and Microphone.
What makes this exploit scarier is the fact that there appears to be no easy solution. According to researchers a browser based fix wont come anytime soon since it would require a major overhaul. Standard methods like disabling javascript wont help either since clickjacking can be carried out without using javascripts – DHTML and i-frame is sufficient. The only reasonable solution at the moment is to use Firefox with Noscript(an extension for Firefox) addons since specific anti-clickjacking countermeasures are included in latest version (1.8.2) of NoScript. Opera users need to disable Java, Javascript and all Plugins from Preferences ->Advanced ->Content . Use Site Preferences to enable plugins and javascript on a per-site basis. You also need to disable i-frames by typing opera:config in your address bar, and unchecking “IFrames” under the section “Extensions”. For details on stopping clickjacking in Internet Explorer, Chrome, Safari and Opera check out this page.
YAY!
Firefox + Noscript = World Safest Browser