‘Clickjacked’ in the blink of an eyeOctober 2, 2008 12:00 am Articles, Ask the Geek
Imagine if, while you were merrily surfing on the net, someone figured out how to take your next mouse click and repurpose it for whatever he wanted. Say, for instance, you pointed your mouse to a link for a news article that caught your eye, but when you clicked the link, you landed on a Web site designed to trash your Web browser. You just got clickjacked.
It’s like signing your name blindfolded, not realizing someone slipped another piece of paper between your pen and the desk, intercepting your signature.
It’s serious enough that the security experts who discovered clickjacking agreed, after being urged by Adobe Systems, to postpone a talk at the latest Open Web Application Security Project (OWASP) Conference.
They claim the exploit code they developed proves the vulnerability is so serious, it should be kept under wraps until developers and vendors have had an opportunity to address the issues in their software.
The vulnerability has existed for years, but has typically been shrugged off by the industry. The implications that were originally imagined were too harmless to consider serious.
Robert “RSnake” Hansen and his colleague Jeremiah Grossman were the developers who discovered the serious implications of the vulnerability. By combining various flaws they discovered, they realized that a ne’er-do-well has an opportunity to cause a computer user to click on a link that is virtually invisible, or only appears briefly, instead of clicking a legitimate link.
The possibility for this to be used to “phish” for login names, passwords, credit card numbers and other personal information is sobering.
Grossman commented in Computerworld: “Think of any button on any Web site that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue…. The list is virtually endless, and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”
Blink if you want, you’ll probably never see it happening.
The problem seems to affect Web sites in general; however, it would be impractical to expect every vulnerable Web site in the world to be updated. Instead, the issue is being addressed by Web application developers such as Mozilla, Adobe and Microsoft.
“The correct solve will not be patching every web-site on earth,” Hansen writes in his blog. “Instead it will likely end up being a browser patch against every major browser.”
Browser-loyalty won’t help anyone this time. Clickjacking affects all current browsers, Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and Opera — even Adobe Flash.
“It affects all modern browsers,” said Hansen. “I spent probably a week thinking about the problem, maybe two days coming up with exploit code, and another couple of hours looking at various Web sites, plug-ins, and others things, looking to see what might be vulnerable. And in the process of doing that, pretty much everything I poked at broke.”
Security experts suggest that all computer users disable browser plug-ins until a solution is discovered. One caveat: Some plug-ins such as NoScript and AdBlock Plus may actually be useful in blocking attempted attacks.
Keep an eye on this one, folks.
- Robert “RSnake” Hansen’s blog about Clickjacking: http://ha.ckers.org/blog/20080915/clickjacking/
- Jeremiah Grossman’s blog: http://jeremiahgrossman.blogspot.com/
(This article was originally published in the Amarillo Independent newspaper.)