Slashdot Mirror

← Back to Stories (view on slashdot.org)

Alarm Raised For "Clickjacking" Browser Exploit

Posted by timothy on

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

5 of 308 comments (clear)

  1. Premature claim by clang_jangle · · Score: 4, Interesting

    scary new browser exploit/threat affecting all the major desktop platforms

    I didn't find that information in TFA or in any of the TFAs linked in TFA (here here here here). Though it may be so; it sounds like this exploit makes use of the browser's access to the clipboard.
    Elinks FTW!

    --
    Caveat Utilitor
  2. OWASP by Lord+Ender · · Score: 4, Interesting

    was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors

    Well, add OWASP to the list of security organizations with no integrity. It's clear they care about their sponsors, not their members.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  3. Re:One of these things is not like the other. by Chysn · · Score: 5, Interesting

    > Now we're at a quandary. Your humble
    > correspondent is at a loss to even speculate as
    > to the nature of a technology that Ffirstly isn't
    > Javashit, but which can conceivably be invoked by
    > web content regardless of which web browser is in
    > use, but lastly can be secured against by
    > disabling hated plug-ins.

    It's a Flash exploit. I found a proof-of-concept by clicking around TFA, and it promised that the Flash movie would take over my clipboard, forcing me to close the browser window. I'm on Firefox 3.0.2, and the "proof-of-concept" did nothing.

    At least nothing obvious. I suppose I could have been rootkitted.

    --
    --I'm so big, my sig has its own sig.
    -- See?
  4. Re:Summary wrong by jesser · · Score: 5, Interesting

    FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002.

    I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.

    --
    The shareholder is always right.
  5. I've seen this as a bug by Skapare · · Score: 4, Interesting

    I've seen situations that otherwise look like benign layout bugs, where two or more hyperlinks or other clickable objects end up being overlayed on each other. It's not clear which one would be activated until you click. If someone intentionally did this AND obscured the object they wanted the victim to click, and made the other object more attractive, people might be doing such clicking. This could be easily done with CSS on one page, but there's not advantage since both links are just part of the same page. I don't think frames would do this. However, IFRAMES might do this on a cross "page" basis. The perp makes an attractive link that overlays over an iframe that is loaded from another page, so the act of clicking gets the victim to effective click on the other page. This loads something else in the iframe, but from the perpective of that other web site, it was a click on their page (based on the referer value). The simple exploit would get people to click on an ad, and it would not be visible to the ad vendor which page was doing the exploit.

    --
    now we need to go OSS in diesel cars