Alarm Raised For "Clickjacking" Browser Exploit

← Back to Stories (view on slashdot.org)

Alarm Raised For "Clickjacking" Browser Exploit

Posted by timothy on Thursday September 25, 2008 @08:19AM

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

21 of 308 comments (clear)

Min score:

Reason:

Sort:

Hurray for us lynx users! by Anonymous Coward · 2008-09-25 08:21 · Score: 5, Funny

*crickets*
Information by asCii88 · 2008-09-25 08:24 · Score: 5, Insightful

You call this "information"? It's not even clear what the exploit is about.
1. Re:Information by eln · 2008-09-25 08:32 · Score: 5, Funny
  
  It's very similar to the DNS issue from a couple of months back: It's a hugely scary thing that will doom the Internet, but because we're responsible we can't tell you what it is in any detail. However, if you don't patch your browser immediately (patch not yet available), you are fucked.
  Have a nice day.
2. Re:Information by AKAImBatman · 2008-09-25 08:45 · Score: 5, Informative
  
  It's about using IFRAMES + CSS to make confusing visual elements that cause users to perform actions they didn't think they were performing. Feel better? ;-)
  
  --
  Javascript + Nintendo DSi = DSiCade
3. Re:Information by Kaptainkid · 2008-09-25 08:58 · Score: 5, Funny
  
  For additional support information. Click this link. LOL
4. Re:Information by OriginalArlen · 2008-09-25 09:04 · Score: 5, Insightful
  
  There's a big difference. The first public news of the Kaminsky DNS issue was with the release of Microsoft's Patch Tuesday DNS update, with simultaneous patches from ISC for BIND and the other affects nameservers. Dan organised all that with the help of CERT and the DNS server vendor/distributors, without leaks. Once the patches and a vague description was out, people put two and two together pretty quickly - IIRC from the BlackHat preso, the first correct solution Kaminsky received was within 48 hours - and shrewd guesses were being made within two weeks (followed by the unfortunate leak which broadly confirmed the guess.) It sounds like the cat is well and truly out of the bag here, already, and there are no patches yet. Apart from the people at the conference, there's enough detail in the sources the ZDNet blog links to to make it pretty clear which direction the shrewd guesses (and testing) will have started on.
  Looking on the bright side, more browsers than nameservers auto-update themselves...
  (Incidentally the reason the Internet wasn't destroyed by the Kaminsky bug was precisely because of all the prior coordination and then unequivocal "patch now" messages from multiple credible sources (CERT, Vixie, Microsoft, the other respected researchers Dan explained it to under NDA, etc.) And anyway you ARE still fucked in the long run, anyway, because DNS is still spoofable by a determined attacker (which probably means one who's going after a very high value target) in the absence of DNSSEC. Hence the (by Fed terms, frantic) haste with which the .gov root is being signed at last.
  Have a great day!
  
  --
  
  Everything I needed to know about life, I learnt from Blake's Seven
5. Re:Information by lysergic.acid · 2008-09-25 09:12 · Score: 5, Funny
  
  i still don't get it. could you give an analogy involving cars?
6. Re:Information by AKAImBatman · 2008-09-25 09:22 · Score: 5, Insightful
  
  Sure. Imagine you're in a car showroom looking at a super-expensive car. It looks great and price is pretty good. So you tell the dealer you'll take the car. Except when you get in the car, you realize that someone had put a cardboard cutout in front of the car. The car you got in was actually an economy vehicle. Except now it's too late to undo your purchase!
  Here's another one: Let's say you've got a bunch of buttons on your dash. Most of them control the radio, but one controls the ejection seat. While you're away, some neighbor kids from MIT think it's funny to come over and rewire the buttons on your radio. Now when you press the button to turn on your radio, you actually get ejected from the car. NOT FUNNY!
  Better? :-P
  
  --
  Javascript + Nintendo DSi = DSiCade
7. Re:Information by Cousin+Scuzzy · 2008-09-25 11:28 · Score: 5, Funny
  
  Better? :-P
  Well, That's better than simply turning on the radio when you needed to eject.
Summary wrong by mazarin5 · 2008-09-25 08:25 · Score: 5, Informative

The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'
The quote from the article says you can protect yourself by disabling scripting:

In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesnâ(TM)t give people much technical detail to go on, but itâ(TM)s the best we can do right now.

--
Fnord.
1. Re:Summary wrong by jesser · 2008-09-25 08:38 · Score: 5, Informative
  
  The zdnet article is pretty vague, but I think it refers to the problem detailed in this message from Michal Zalewski:
  "A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items', 'click to add Bob as a friend', etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it."
  Disabling JavaScript won't prevent the attack. It will break some mitigations, though!
  
  --
  The shareholder is always right.
2. Re:Summary wrong by kesuki · 2008-09-25 08:38 · Score: 5, Informative
  
  the problem is actually in dhtml, but javascript makes the exploit 'much easier'
  hence, the attack sites will all be using javascript, because it's easier than writing it entirely in dhtml just to score and extra 1 click from the guy who disabled javascript because he doesn't trust it.
  BTW: in theory even sites like slashdot can be infected because the attack applies to all CSS coded sites. nice.
  oh, BTW, is you have noscript installed, this vulnerability can only force clicks within the same domain, since cross site code is automatically disabled.. AFAIK the only way to disable CSS is to use obsolete browses like lynx.
  
  --
  https://www.gnu.org/philosophy/free-sw.html
3. Re:Summary wrong by jesser · 2008-09-25 08:46 · Score: 5, Interesting
  
  FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002.
  I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.
  
  --
  The shareholder is always right.
4. Re:Summary wrong by HTH+NE1 · 2008-09-25 09:01 · Score: 5, Insightful
  
  Try the CSS pseudoclass :active
  
  And here is an example.
  
  --
  Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Thank Jeebus! by Anonymous Coward · 2008-09-25 08:25 · Score: 5, Funny

Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!
1. Re:Thank Jeebus! by Roberticus · 2008-09-25 08:47 · Score: 5, Funny
  
  Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!
  I don't know how things work for you, but saying that I just got clickjacked is only going to get me into more trouble, not less.
One of these things is not like the other. by Tackhead · 2008-09-25 08:34 · Score: 5, Insightful

Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.
Web browser, Web browser, Web browser, Web browser, and cross-platform method for running code delivered from untrusted sources.
From TFA:

"The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready."
One vendor is, unlike the others, mentioned by name. It happens to be the vendor that ships The One Thing That Is Not Like The Others.
Also from TFA:

"According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:"
and
"In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but itâ(TM)s the best we can do right now."
Now we're at a quandary. Your humble correspondent is at a loss to even speculate as to the nature of a technology that Ffirstly isn't Javashit, but which can conceivably be invoked by web content regardless of which web browser is in use, but lastly can be secured against by disabling hated plug-ins.
1. Re:One of these things is not like the other. by Chysn · 2008-09-25 08:41 · Score: 5, Interesting
  
  > Now we're at a quandary. Your humble
  > correspondent is at a loss to even speculate as
  > to the nature of a technology that Ffirstly isn't
  > Javashit, but which can conceivably be invoked by
  > web content regardless of which web browser is in
  > use, but lastly can be secured against by
  > disabling hated plug-ins.
  It's a Flash exploit. I found a proof-of-concept by clicking around TFA, and it promised that the Flash movie would take over my clipboard, forcing me to close the browser window. I'm on Firefox 3.0.2, and the "proof-of-concept" did nothing.
  At least nothing obvious. I suppose I could have been rootkitted.
  
  --
  --I'm so big, my sig has its own sig.
  -- See?
Re:Bullshit? by id · 2008-09-25 08:40 · Score: 5, Insightful

Except you're wrong, but don't take my word for it (I run ha.ckers.org with RSnake), see what Adobe has to say.
http://blogs.adobe.com/psirt/2008/09/thanks_to_jeremiah_grossman_an.html
-id
The devil is in the details by Ambush+Commander · 2008-09-25 09:17 · Score: 5, Informative

In its most primitive form, it basically involves taking an iframe, figuring out where the link part/form part is, and then tricking the user into clicking it.
This seems very clunky and hacky, but I suspect that the speakers at the OWASP talk have gotten this technique to work well enough so that it is both transparent and highly effective. Can you think of a website that needs you to click, say, a play button in order to view content? That click may be hijacked through an invisible iframe to execute an action on another website.
The good folks at Google recently raised this topic on the WHATWG mailing list, you can read more about it here: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-September/016284.html
Re:Turn to Lynx? by Anonymous Coward · 2008-09-25 11:58 · Score: 5, Funny

I hate to burst you bubble, but it does not mean I'm 12. It means that I'm older than sin.
You young'uns these days just don't understand anything that has a black rope coming out the back. It's got to be all "txtm3 or gtfo". 4COL. Well, @TEOTD I have a message for you, young man! GOML* and GAL! --AKAIB
* Get Off My Lawn