Slashdot Mirror

← Back to Stories (view on slashdot.org)

Alarm Raised For "Clickjacking" Browser Exploit

Posted by timothy on

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

5 of 308 comments (clear)

  1. Summary wrong by mazarin5 · · Score: 5, Informative

    The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'

    The quote from the article says you can protect yourself by disabling scripting:

    In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesnâ(TM)t give people much technical detail to go on, but itâ(TM)s the best we can do right now.

    --
    Fnord.
    1. Re:Summary wrong by jesser · · Score: 5, Informative

      The zdnet article is pretty vague, but I think it refers to the problem detailed in this message from Michal Zalewski:

      "A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items', 'click to add Bob as a friend', etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it."

      Disabling JavaScript won't prevent the attack. It will break some mitigations, though!

      --
      The shareholder is always right.
    2. Re:Summary wrong by kesuki · · Score: 5, Informative

      the problem is actually in dhtml, but javascript makes the exploit 'much easier'

      hence, the attack sites will all be using javascript, because it's easier than writing it entirely in dhtml just to score and extra 1 click from the guy who disabled javascript because he doesn't trust it.

      BTW: in theory even sites like slashdot can be infected because the attack applies to all CSS coded sites. nice.

      oh, BTW, is you have noscript installed, this vulnerability can only force clicks within the same domain, since cross site code is automatically disabled.. AFAIK the only way to disable CSS is to use obsolete browses like lynx.

      --
      https://www.gnu.org/philosophy/free-sw.html
  2. Re:Information by AKAImBatman · · Score: 5, Informative

    It's about using IFRAMES + CSS to make confusing visual elements that cause users to perform actions they didn't think they were performing. Feel better? ;-)

    --
    Javascript + Nintendo DSi = DSiCade
  3. The devil is in the details by Ambush+Commander · · Score: 5, Informative

    In its most primitive form, it basically involves taking an iframe, figuring out where the link part/form part is, and then tricking the user into clicking it.

    This seems very clunky and hacky, but I suspect that the speakers at the OWASP talk have gotten this technique to work well enough so that it is both transparent and highly effective. Can you think of a website that needs you to click, say, a play button in order to view content? That click may be hijacked through an invisible iframe to execute an action on another website.

    The good folks at Google recently raised this topic on the WHATWG mailing list, you can read more about it here: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html