Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixes Released (and More Promised) For "Clickjacking" Exploits

Posted by timothy on from the no-death-penalty-for-online-jerks dept.

An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."

46 of 70 comments (clear)

  1. Re:Has... by snl2587 · · Score: 3, Interesting

    Well, an example is the "Get Add-on" link on the NoScript website: clicking it causes an iframed link from Mozilla's add-on page to be "clicked" instead.

    Clickjacking's new in terminology only.

  2. Re:Has... by Anonymous Coward · · Score: 2, Insightful

    But that's the user clicking on a visible item, simply embedded in the page. It's misleading, sure! But it's not the same as having a user click anywhere and it hitting an invisible item that does something completely unrelated to whatever's displayed.

  3. Original fix by MaxwellEdison · · Score: 2, Funny

    I've solved this problem by removing my mouse from the computer. Now I never click anything malicious! Or anything at all... Its all wonderfully frustrating.

    --
    -=Bang Bang=-
  4. Comment removed by account_deleted · · Score: 4, Funny

    Comment removed based on user account deletion

  5. Oh great... by davidbrit2 · · Score: 1

    Like I need yet another NoScript update this week.

    1. Re:Oh great... by Ant+P. · · Score: 1

      Normally I wouldn't mind being told to update every 24 hours, but the way NoScript does it is completely fucking retarded.
      What's the use of Firefox having a "show more information" button in the addon manager when all it displays is an URL to an ad-filled page with a 2 line changelog? And to rub it in, the info box isn't a real textarea so you can't just copy and paste the link.

  6. Why does flash by British · · Score: 1

    ..even have a facility for the webcam and mic anyways?

    1. Re:Why does flash by Anonymous Coward · · Score: 1, Informative

      People use it here for American Sign Language work. They sign into the webpage, it turns on the cam, they sign it up, and it's stored on the server for their instructor or collaborator to view/grade/whatever.

    2. Re:Why does flash by marxmarv · · Score: 1

      Because all technological advancement is driven by adult media?

      --
      /. -- the Free Republic of technology.
    3. Re:Why does flash by lysergic.acid · · Score: 1

      my friend used it in his interactive media class to simulate the vision of dogs. you run the flash application and it filters the cam feed to only display the visual spectrum dogs are capable of seeing.

      i don't think there's anything inherently wrong with giving flash access to webcam/mic. it creates opportunities for a lot of useful web apps. however, i do think that flash browser plugins need to warn users and have them confirm that they actually want to turn on their webcam/mic.

  7. Re:Has... by Anonymous Coward · · Score: 4, Funny

    I was describing this article to my boss, and here is what he said to me verbatim. My Emp. added.

    So, should I be afraid of my web browser clickjacking me off of my normally visited websites to some spyware?

  8. Re:Has... by Mashiki · · Score: 2, Informative

    Anyone actually seen a POC of clickjacking? I know I haven't...

    Yes. I've run across it on GCW, MSNBC and Wowhead through 3rdparty advertisers. It's already in the wild, the only thing that stopped it was noscript.

    --
    Om, nomnomnom...
  9. The jokes on you, hackers! by Gizzmonic · · Score: 2, Funny

    Not only am I an exhibitionist, I'm also unbelievably ugly! You won't be 'clickjacking' to my warped, drooling countenance!

    --
    (-1, Raw and Uncut is the only way to read)
    1. Re:The jokes on you, hackers! by Anonymous Coward · · Score: 1, Funny

      Goddamnit, mom! I thought I told you not to post on the same websites as me? And don't think I haven't seen you on adultfriendfinder either.

  10. Re:Has... by Mashiki · · Score: 4, Informative

    Just because I had to hunt for the image:
    http://bay01.imagebay.com/bay.php?view=61388_poshijack.jpg

    --
    Om, nomnomnom...
  11. Interview with Clickjacking Author by webappsec · · Score: 1


    http://www.cgisecurity.org/2008/10/interview-jerem.html

  12. Re:Has... by plover · · Score: 1

    Well, there's a POC linked in TFA. I tried it. It looked like it was going to work but NoScript warned me about it. Pretty cool.

    NoScript is my friend.

    --
    John
  13. Re:Has... by Ortega-Starfire · · Score: 1

    Click the proof-of-concept link in the article summary.

    --
    ---- Liquid was a patriot ----
  14. I am confused by RockMFR · · Score: 1

    I was under the impression that Flash runs with full privileges and can basically do anything if you have the plugin installed. Is this not the case?

    1. Re:I am confused by argent · · Score: 1

      The plugin runs with full privileges.

      The scripts (in Actionscript, a version of ECMAscript (nee Javascript)) run in a sandbox.

  15. Re:This stuff is why... by plover · · Score: 2, Interesting

    I have the Flash plugin, but I also run FlashBlock. It's awesome. No crappy flashy anything unless I actually want it, and then it's only a few mouseclicks away. That plus NoScript meant it took me about half a dozen clicks before I had both the permission and the ability to run the clickjacking demo. I feel pretty safe with Firefox.

    --
    John
  16. Re:This stuff is why... by thenewguy001 · · Score: 1

    Why not just use flashblock for firefox instead of firing up IE? You can enable/disable individual flash objects on the fly with flashblock.

    In IE you have to let everything load, which is less secure. If the page is full of flash adverts it'll also consume more CPU cycles.

  17. Re:Simple solution: by plover · · Score: 2, Funny
    Let me get this straight: You recommend:

    i.e. for banking.

    and you expect us to trust you with security advice? Please!

    --
    John
  18. NoScript by HTH+NE1 · · Score: 4, Interesting

    Now if only NoScript, when I choose (for example) "Temporarily allow doubleclick.net", granted that allowance only on the page I'm viewing and its descendants and not in every open tab in every window to every site their scripts are on!

    --
    Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
    1. Re:NoScript by kesuki · · Score: 3, Informative

      apparently, feature suggestions should be posted to this forum http://forums.mozillazine.org/viewtopic.php?t=826005

      'temporarily allow site in tab' and 'temporarily allow all in tab' are features i'd suggest, but i'm too lazy to sign up for a forum and post there.

      being specific to a single tab would be nice, it might add to the size of the engine, but again it would make annoying broken ad supported sites like pogo that require 26 separate sites to be 'allow' to properly load a webgame... no, i don't play pogo, but i disabled noscript from one of my parents computers so she could use pogo. I checked to see if i could just add to the white list, but that basically defeated the point of a white list, so it was disabled.

      on windows it's no big deal, she uses ie, and i use firefox, but on their linux system, which she rarely uses, except when there are issues with the other computer... well, it has to stay set so she can play pogo on it if needed.

      --
      https://www.gnu.org/philosophy/free-sw.html
    2. Re:NoScript by kesuki · · Score: 1

      they work globally across all tabs though. what if i want doubleclick okayed on one tab, but not another? it's one thing to 'have to' allow one one website in one tab to play a free online game, and quite another to make every news site i'm surfing suddenly show ads, because of one site.

      --
      https://www.gnu.org/philosophy/free-sw.html
  19. Re:Help by Loopy · · Score: 1

    It's a .0 release. Haven't you learned anything from all the linux threads here?

  20. Are they saying this end-of-the-internet threat... by Ungrounded+Lightning · · Score: 2, Insightful

    Are they really saying this newly-uncovered, ultra-hyped, horrible, end-of-the-internet, cross-browser, gotta-fix-the-world-but-it's-SO-hard, threat... ... was INVISIBLE BUTTONS?

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  21. Flash and microphones and webcams, oh my. by argent · · Score: 2, Interesting

    It's always kind of creeped me out that Flash even gives applets access to the microphone and webcam, and I never enable those capabilities in the program.

    Yes, I understand the point of it, I just think it's creepy.

    1. Re:Flash and microphones and webcams, oh my. by cerberusss · · Score: 3, Funny

      It's always kind of creeped me out that Flash even gives applets access to the microphone

      Definitely creepy. One time I visited a page with a Flash-based advertisement from (apparently) a French company. When my mouse cursor inadvertently moved over the Flash applet, some kind of contact was made with the company. This French guy was screaming into his microphone "'ello?? 'ELLOO??". And he obviously saw through my cam because he continued: "Bonjour, sire! Whas arr yous eatingue?" just when I was shoving a sandwhich in my pie-hole.

      --
      8 of 13 people found this answer helpful. Did you?
  22. Re:Are they saying this end-of-the-internet threat by mr_mischief · · Score: 3, Informative

    Any form of invisible link, invisible button, link or button in an iframe, getURL() call in Flash, or JavaScript handler for any normally non-clickable item that makes you go somewhere, yeah.

  23. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  24. Re:Has... by Koiu+Lpoi · · Score: 1

    Except it doesn't at all. Mouse over the link and you can clearly see in your status bar that it goes to Mozilla's site. Clickjacking my ass.

  25. Re:This stuff is why... by id · · Score: 1

    That would be great if flashblock itself wasn't susceptible to clickjacking...

  26. Re:Has... by snl2587 · · Score: 1

    Pleaseread.

  27. Re:Has... by snl2587 · · Score: 1

    Nice job looking at the page source, but you've really got to look at the javascript.

    Note this bit (this is only a part; see the source for the rest):
    document.getElementById("amo-install").innerHTML +=
    '<iframe id="amo-installer" width="1" height="1" style="visibility: hidden; filter: alpha(opacity=0)" scrolling="no"></iframe>';

    Yep. Looks like this is exactly what I was talking about.

  28. Re:How is this new? by FLEB · · Score: 2, Insightful

    This attack makes it possible for third parties to trick you into performing actions on third-party sites, by overlaying them invisibly on something you think you want to click. An attacker could overlay a seemingly innocuous game, for instance, with an administrative panel from a common website. The settings panel would be invisible (zero or low alpha), but still would receive mouse clicks. When the "game" asks you to click two seemingly random points, you're actually clicking the "Delete my account" checkbox and "Continue" button, for instance.

    Off the top of my head, it's not a world-ender, just another problem like XSS or XSRF to be vigilant against. Possible solutions (from the top of my head) would be for sensitive form pages to have a framebusting script (although this doesn't help if JS is off), and require a password or CAPTCHA (a password could be phished around, but a CAPTCHA could work, since the fake site still has no actual way to read or write the legit site).

    --
    Information wants to be free.
    Entertainment wants to be paid.
    You just want to be cheap.
  29. Re:Simple solution: by FLEB · · Score: 1

    While the "different browser" idea would work, turning off JS would be marginal to harmful. This is a straight HTML/CSS exploit, and, actually, turning off JS could stop preventive framebusting scripts from running.

    --
    Information wants to be free.
    Entertainment wants to be paid.
    You just want to be cheap.
  30. Re:How is this new? by FLEB · · Score: 2, Insightful

    When the "game" asks you to click two seemingly random points,

    s/random/arbitrary/

    --
    Information wants to be free.
    Entertainment wants to be paid.
    You just want to be cheap.
  31. Re:Has... by Koiu+Lpoi · · Score: 1

    Except that it doesn't come up with that box at all, and I'm running the latest version of NoScript. Looks like they fixed it.

  32. Re:Has... by snl2587 · · Score: 1

    No, the noscript site is on your whitelist by default (along with googlesyndication.com so the developer can collect ad revenue off his site). The demo on his blog was an example of what would happen if you removed noscript.net from your whitelist and went to his site with the blocker enabled.

  33. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  34. Restricting iframes by StoatBringer · · Score: 1

    In the case of iframes abuse, wouldn't it make sense for browsers to refuse to allow iframes to show pages which include some sort of "no_remote_display" tag? So if your page has a form which could potentially be abused, add the tag and browsers which recognise it will only show the page in it's entirety, and not as part of another page or from another domain?

    I realise that this may well be far too simplistic and people will probably point out a dozen reasons why it won't work and would break all sorts of things. :)

    --
    Cress, cress, lovely lovely cress
  35. Re:Simple solution: by metamatic · · Score: 1

    See, this is why I think NoScript and CookieSafe (CS Lite) should be standard functionality in Firefox. In fact, they already have the functionality, they just need the friendly UI so normal people can actually use it.

    But Mozilla won't do it, because it would piss off the advertisers who use JavaScript and cookies to surreptitiously track people. They might be an open source project, but they don't have the users' best interests at heart.

    --
    GCHQ Quantum Insert installed. If only our tongues were made of glass, how much more careful we would be when we speak
  36. Re:Simple solution: by JCSoRocks · · Score: 1

    Re: IE for banking - I know some banking sites weren't compatible with FF for a loooong time. I'm still not sure if BofA's site is. It can be frustrating.

    --
    You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
  37. Re:Are they saying this end-of-the-internet threat by JCSoRocks · · Score: 1

    Yeah, which is lame because I've been using those for years. They're actually really handy in certain situations. ...And that's for legitimate web app work, not spamtastic garbage. In fact if the changes they make are sweeping enough it may break some of my old code... yay.

    --
    You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.