Slashdot Mirror
Alarm Raised For "Clickjacking" Browser Exploit
Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"
I didn't find that information in TFA or in any of the TFAs linked in TFA (here here here here). Though it may be so; it sounds like this exploit makes use of the browser's access to the clipboard.
Elinks FTW!
Caveat Utilitor
Well, add OWASP to the list of security organizations with no integrity. It's clear they care about their sponsors, not their members.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
Using the links browser in a terminal with mouse support is almost exactly like using a browser with images turned off...
Witness:
http://www.jikos.cz/~mikulas/links/screenshots/png.html
> Now we're at a quandary. Your humble
> correspondent is at a loss to even speculate as
> to the nature of a technology that Ffirstly isn't
> Javashit, but which can conceivably be invoked by
> web content regardless of which web browser is in
> use, but lastly can be secured against by
> disabling hated plug-ins.
It's a Flash exploit. I found a proof-of-concept by clicking around TFA, and it promised that the Flash movie would take over my clipboard, forcing me to close the browser window. I'm on Firefox 3.0.2, and the "proof-of-concept" did nothing.
At least nothing obvious. I suppose I could have been rootkitted.
--I'm so big, my sig has its own sig.
-- See?
FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002.
I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.
The shareholder is always right.
Is crome affected? ;-)
I've seen situations that otherwise look like benign layout bugs, where two or more hyperlinks or other clickable objects end up being overlayed on each other. It's not clear which one would be activated until you click. If someone intentionally did this AND obscured the object they wanted the victim to click, and made the other object more attractive, people might be doing such clicking. This could be easily done with CSS on one page, but there's not advantage since both links are just part of the same page. I don't think frames would do this. However, IFRAMES might do this on a cross "page" basis. The perp makes an attractive link that overlays over an iframe that is loaded from another page, so the act of clicking gets the victim to effective click on the other page. This loads something else in the iframe, but from the perpective of that other web site, it was a click on their page (based on the referer value). The simple exploit would get people to click on an ad, and it would not be visible to the ad vendor which page was doing the exploit.
now we need to go OSS in diesel cars
Hey I use lynx you insensitive clod!
The reason you can't "clickjack"* is cause it's a text based browser. There ain't no clicking!
*I didn't RTFA, so I don't know how appropriate this term is.
Question everything
After reading AKAImBatman's comment, I realized it's not a DOM/scripting vulnerability, but just the ability to hide a link behind flash or an animated GIF content.
Kudos to AKAImBatman for understanding what this was about - and Kudos to the hackers for both discovering such an ingenious exploit and for working with the companies to fix it.
But here's the best part (from the article):
So, the exploit has nothing to do with Javascript, but Javascript makes it easier, and the only way to protect yourself is to disable Javascript (and plugins). Wonderful!
Game! - Where the stick is mightier than the sword!
How about if a malicious site puts amazon.com in a iframe positioned so as to induce you to hit the 1-click order button on some expensive camera or something? Using an Amazon referral link to themselves, of course.
It apparently doesn't have to redirect you away from the 'main' page you're seeing. It can all happen in a 'hidden' iFrame.
I can think of a lot of web pages where clicking could have a real effect. Especially on sites where users keep themselves logged in. It appears as if they can direct your click to any spot or object on the 3rd party site.
Ready to DIGG a story you know nothing about?
Bid on an eBay auction?
Delete all your old Yahoo/Gmail messages?
What about any site that uses GETs to send a message to the server?
And a really scary thought... can this exploit target pages on the local machine?
I would have classed that article as FUD, except that there are too many obvious contradictions.
Instead it just looks like some incoherent disinformation from someone who does not know the difference between a browser and a plugin.
a scary new browser exploit/threat affecting all the major desktop platforms - Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.
That's where I stopped taking the article seriously. Unfortunately that was also the first paragraph.
Ahem. No everyone can actually see images. Lynx is quite popular among the visually handicapped (IE + Jaws is another popular choice). If your website follows standards, it should be accessible to the visually impaired.