Clickjacking: Researchers raise alert for scary new cross-browser exploit

Clickjacking: Researchers raise alert for scary new cross-browser exploit

Summary: [ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ]Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms -- Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

SHARE:

Robert (RSnake) Hansen

[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ]

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms -- Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery -- Robert Hansen (left) and Jeremiah Grossman -- have released droplets of information to highlight the severity of this issue.

So, what exactly is Clickjacking?

Clickjacking details emerge

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

  • In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you're on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

If that's not scary enough, consider than the average end user would have no idea what's going on during a Clickjack attack.

  • Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.  "It makes it easier in many ways, but you do not need it."  Use lynx to protect yourself and don’t do dynamic anything.  You can “sort of” fill out forms and things like that.  The exploit requires DHTML.  Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.  Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

  • In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but it's the best we can do right now.

Topics: Open Source, Browser, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

144 comments
Log in or register to join the discussion
  • Text or graphic

    remember there use to be a link on web pages if you wanted text only or graphics.

    that should be put back in place
    Monosdeja
    • my web sites...

      my websites are all text, maybe some text deco and some basic formatting that isnt graphical. it may not be "flash"y but it gets the job done. plus, its easily readable in elinks, lynx, or any browser for that mater. you just dont get the full affect where an image is placed like a logo or the gallery...

      i like to keep it simple ;)
      linuxoverwindows
      • I don't understand how the clicks can hurt you.

        Yes, if you are on eBay you could be forced to make a bid that you didn't actually intend. (This is, [i]if[/i] you are logged on to your eBay account). But other than that, what is the danger? They are not going to get any passwords or personal information that way. And they could always trick you into clicking a malicious buttion anyway simply by labeling it "Next...".

        (BTW, I still don't understand why people don't make more use of Limited accounts. The only time I ever log on to my Administrator account is when I want to install a program. I've been running this way for years, and it has never caused me the slightest inconvenience).
        hummingfrog
        • Actually . . .

          "They are not going to get any passwords or personal information that way."

          Actually, if some of the hypotheses about how clickjacking might work are correct, it may be possible for some forms of it to detect keystrokes.

          Unfortunately, we do not have all of the details, so making rash statements about what it can and can't do are ill advised until we have a better idea of what we are dealing with.
          CobraA1
        • Limited User Account

          AMEN! Not really much of a problem, and provides greatly increased security. In Ubuntu Linux, all users are the equivalent of an LUA.
          Jack Fuller
          • What this is... and isn't

            That wouldn't matter at all. For what I've heard, the hijacker will not get passwords or files from your machine, and he will not control your machine.

            But instead he will force your browser to go to the links he wants when you click on one.
            Let's say you're at the google.com webpage. Under normal functioning, you click the "search" button and it will lead to the results page.
            If your clickjacked, when you click that same button, you'll go the link the hijacker want's, instead.

            Or, at least, it's what I've understood of the article.
            brunommateus9
          • The problem is

            You have to already be at the hijackers site.
            If you leave it, and go to Google.com yourself
            instead, problem solved.
            AzuMao
    • Text or graphic?

      I don't see your point relative to this article.
      As it's put, you don't even need to have any visible content for this exploit to work. You could have text only links, and those can be shown as a single space at 0.1 point size...
      The crook only need to have you navigate to his malicious site, or one that have been compromised, and the exploit will be triggered without any input on your part, even after you have left that site by whatever mean, even using the back browser button, short of terminating your browser AND severing your internet connection. (PULL the plug!)
      He can make you download, and install, anything, and force you to click any accept he want, without you ever seeing anything at all.
      Kualinar
  • in the wild?

    "Zero-day" means that the exploit was being used in the wild before a patch was released by vendors to fix it. Yet the only people mentioned by the article as knowing the details of the vulnerability are the researchers and the vendors they revealed it to. So, has this exploit been found in the wild or not? Is it an actual threat or just a theoretical one?
    lars_huttar
    • In the wild, not yet... maybe

      There is a proof of concept by some researchers.
      There are 1000's of criminals out there searching everywhere, full time, to find something such as this.
      So, as soom as something is found to NOT been impossible, the question is not:
      Will there be an exploit on that flaw?
      No, the question is:
      WHEN?
      Kualinar
  • Sounds like more fear mongering...

    just what we need too. More fear to keep you in a state of frenzied panic. Makes it easier to control you when you are scared and there are threats all around. ]:)
    Linux User 147560
    • I agree

      Many of the security experts are quickly sounding like the snake-oil salesmen of the past.

      Are they seriously suggesting that 'everyone' switch to a command line browser?!?!
      mikefarinha
      • Lynx

        My OS is Linux and I am not going to start using Lynx anytime soon. That's like one step forward and ten steps back, I've used lynx in the past, it's ok for browsing when you don't have a gui but what is the point? Just surf with a bit of discretion, much better.
        ethyrdude
    • They always leave out the affected OS

      How vulnerable is FireFox with NoScript running on Linux? I'll be really worried when someone can redirect that combo.
      Chad_z
      • If you would RTFA

        If you would RTFA you would have read this portion:
        [i]The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It?s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.[/i]
        mikefarinha
        • @mikefarinha

          You may know what you are talking about, it does much more that just block JS - iframes too.


          May I quote:

          # Jeremiah Grossman Says:
          September 17th, 2008 at 9:58 pm

          You know, that must be one of the most reasonable and level headed statements I?ve ever heard utter surrounding the ever present FD debate. Very well said. NoScript would prevent most of the really bad clickjacking PoC, not 100%, which should be good enough to limit most risk.

          http://ha.ckers.org/blog/20080915/clickjacking/

          Obviously you are an MS/IE Fanboy who does not do their homework
          Alan Smithie
        • Chad_z has a point.

          A browser problem is a browser problem, etc.

          It becomes important when it attacks your OS and takes
          "Complete Control"

          I don't put my money on MS & IE in that department.
          Joe.Smetona
          • If you read closer...

            ... you'd see the part about using flash to open notepad, meaning they could cause your browser to open any program they wanted, of which, one could be a trojan, worm, or virus of some kind picked up off your hijacked website, or even just some program that looks legit to your pc that takes control of a single system that would give them full access to your entire pc.

            I hope this is fixed before some dipsh*t living in mommy's basement with no life figures out and starts using the exploit.
            _DC_
          • OS not same as browser

            What I think some are trying to point out is that different operating systems (OS) have different security measures behind them. Whether they work, or how, can vary. For example, my sister's computer picked up a virus that used a trick (I looked up the virus online after it was identified in a scan of the affected disk) to write to the registry and thus give itself more and more privileges in a series of steps. By the end, her computer was highjacked in essence. Although this virus is supposedly cleaned off her system, I can only wonder just how far her computer was, or remains, compromised. This was done to Windows PC. While I use Windows plenty, I am also familiar with Linux and this shouldn't happen as easily because security and privileges are handled differently for the OS. Note: I said, shouldn't happen. Anyways, what I think some of these people are trying to say that although someone might click-jack their internet browsing, they shouldn't be able to gain control of their PC through this. The browser should hit the limit of its privileges before this happens. Whether this is true or not.... I do not have the expertise to say for sure. I just know from what little experience I have that to even update my version of Linux from a known safe source, the update program(s) need to be granted sufficient privileges (such as my entering the password).
            dedrizen
          • OS Irrelevant for This Exploit

            That is clearly what the article is trying to imply. The article doesn't say it that explicitly, but that is probably because they are trying to be safe with what information they give out; they don't want to give any information that would help someone figure out how to do this.

            Different security measures in different OSs really could have nothing to do with it. After all: they named the exploit 'clickjack' for a reason: it does the equivalent of a user click on a link, which does NOT involve the OS.

            If this is really so (and the article really does imply this), then no matter how strong your OS protection is, it cannot prevent the exploit. It can only limit the damage. But the hacker can still do a lot of damage by making you click on something you did not want, a 'link' you can't even see.
            mejohnsn