X
Business
Home Business Enterprise Software

Firefox + NoScript vs Clickjacking

In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:Hi Ryan,I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
Written by Ryan Naraine, Contributor
Firefox + NoScript vs Clickjacking
In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:

Hi Ryan,

I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

I had access to detailed information about how this attack works and I can tell you the following:

  1. It's really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) -- see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the "Plugins|Forbid <IFRAME>" option.

Cheers, Giorgio

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue.  In a nutshell, I was told that it's indeed "very, freaking scary" and "near impossible" to fix properly.

Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

Editorial standards
Show Comments

Related

AI coding concept

Can Meta AI code? I tested it against Llama, Gemini and ChatGPT - it wasn't even close

Home Assistant logo

Move over, Alexa and Homekit: A new Assistant is here to open-source your smart home

ibm8gettyimages-1659447431

The best free AI courses (and whether AI 'micro-degrees' and certificates are worth it)