Clickjacking – Cross-browser threat fear grows
A new threat on the Internet has all the major browser makers scrambling to find a fix.
On Friday security agency US Cert issued a security notice warning that almost all browsers were affected by what is being called “clickjacking”.
The notice warns that “clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page.”
The threat is known to be equally serious for all major browsers including Firefox, Chrome, Internet Explorer and Opera and to date there is no definitive fix available.
Although the exact details of how the threat is executed are not fully explained, the researchers that first raised this issue have warned that the possibilities of what can be done with clickjacking are quite serious. The exploit has been likened to the cross-site request forgery exploit.
Robert “RSnake” Hansen, the founder and CEO of SecTheory, and one of the researchers on the team that found the problem, writes on his blog that “some of the issues we found weren’t just a little bad – they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure.”
Hansen and his partner, Jeremiah Grossman, say that they have been talking to the major vendors including Adobe which has a product affected by the exploit. Adobe is so concerned about the exploit that it has had Hansen and Grossman cancel a planned presentation on the issue until a suitable fix is available.
Many industry commentators are advising users to disable all extensions in their browsers until a fix is made available. This, however, is not entirely practical for most users.
There are reports that the Firefox NoScript extension deals with most of the threats of clickjacking.
BreakingPoint has some more information on its site as well as proof-of-concept exploits.
But, right now, until a fix is found most users will be at risk.