Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixes Released (and More Promised) For "Clickjacking" Exploits

Posted by timothy on from the no-death-penalty-for-online-jerks dept.

An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."

4 of 70 comments (clear)

  1. Re:Has... by snl2587 · · Score: 3, Interesting

    Well, an example is the "Get Add-on" link on the NoScript website: clicking it causes an iframed link from Mozilla's add-on page to be "clicked" instead.

    Clickjacking's new in terminology only.

  2. Re:This stuff is why... by plover · · Score: 2, Interesting

    I have the Flash plugin, but I also run FlashBlock. It's awesome. No crappy flashy anything unless I actually want it, and then it's only a few mouseclicks away. That plus NoScript meant it took me about half a dozen clicks before I had both the permission and the ability to run the clickjacking demo. I feel pretty safe with Firefox.

    --
    John
  3. NoScript by HTH+NE1 · · Score: 4, Interesting

    Now if only NoScript, when I choose (for example) "Temporarily allow doubleclick.net", granted that allowance only on the page I'm viewing and its descendants and not in every open tab in every window to every site their scripts are on!

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
  4. Flash and microphones and webcams, oh my. by argent · · Score: 2, Interesting

    It's always kind of creeped me out that Flash even gives applets access to the microphone and webcam, and I never enable those capabilities in the program.

    Yes, I understand the point of it, I just think it's creepy.