Alas, it turns out that some of the issues we found weren’t just a little bad – they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof – we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And we’ve only worked with a few vendors. So… yah. It’s pretty bad.
So what is clickjacking? Essentially the malicious webpage will load external webcontent in a frame and hide it beneath another layer of content. Now when the user interacts (clicks on links) with the webpage, he would actually be interacting with the hidden content. In this technique even the url displayed in the statusbar can be forged. In Grossman’s words :
“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls,” Grossman said in an e-mail on Friday. “Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”
This problem affects all modern browsers and reportedly browser vendors have been aware of this problem since 2002. Several browser plugins like Java, Silverlight or Flash can also be used for clickjacking. In fact according to experts Flash games are probably one of the best ways to implement clickjacking. An unnamed blogger has created a proof of concept game that can turn your PC into a surveillance zombie by taking over control of your Camera and Microphone.