madison

Zero Day

Ryan Naraine and Dancho Danchev
Home / News & Blogs / Zero Day

Clickjacking: Researchers raise alert for scary new cross-browser exploit

By | September 25, 2008, 7:50am PDT

Summary: [ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ] Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at [...]

Robert (RSnake) Hansen

[ UPDATE: See e-mail from NoScript creator Giorgio Maone on a possible mitigation ]

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready.

The two researchers behind the discovery — Robert Hansen (left) and Jeremiah Grossman — have released droplets of information to highlight the severity of this issue.

So, what exactly is Clickjacking?

Clickjacking details emerge

According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:

  • In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits.  The problem affects all of the different browsers except something like lynx.  The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.  It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.  With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

[ SEE: Adobe Flash ads launching clipboard hijack attack ]

If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.

  • Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this.  “It makes it easier in many ways, but you do not need it.”  Use lynx to protect yourself and don’t do dynamic anything.  You can “sort of” fill out forms and things like that.  The exploit requires DHTML.  Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page.  Each click by the user equals a clickjacking click so something like a flash game is perfect bait.

According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.

Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.

  • In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

JavaScript, Web Browser, Web Browsers, Scripting Languages, Internet, Software/Web Development, Web Development, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a security evangelist. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Talkback Most Recent of 144 Talkback(s)

  • Text or graphic
    remember there use to be a link on web pages if you wanted text only or graphics.

    that should be put back in place
    ZDNet Gravatar
    Monosdeja
    25th Sep 2008
  • my web sites...
    my websites are all text, maybe some text deco and some basic formatting that isnt graphical. it may not be "flash"y but it gets the job done. plus, its easily readable in elinks, lynx, or any browser for that mater. you just dont get the full affect where an image is placed like a logo or the gallery...

    i like to keep it simple wink
    ZDNet Gravatar
    linuxoverwindows
    25th Sep 2008
  • I don't understand how the clicks can hurt you.
    Yes, if you are on eBay you could be forced to make a bid that you didn't actually intend. (This is, if you are logged on to your eBay account). But other than that, what is the danger? They are not going to get any passwords or personal information that way. And they could always trick you into clicking a malicious buttion anyway simply by labeling it "Next...".

    (BTW, I still don't understand why people don't make more use of Limited accounts. The only time I ever log on to my Administrator account is when I want to install a program. I've been running this way for years, and it has never caused me the slightest inconvenience).
    ZDNet Gravatar
    hummingfrog
    25th Sep 2008
  • Actually . . .
    "They are not going to get any passwords or personal information that way."

    Actually, if some of the hypotheses about how clickjacking might work are correct, it may be possible for some forms of it to detect keystrokes.

    Unfortunately, we do not have all of the details, so making rash statements about what it can and can't do are ill advised until we have a better idea of what we are dealing with.
    ZDNet Gravatar
    CobraA1
    25th Sep 2008
  • Limited User Account
    AMEN! Not really much of a problem, and provides greatly increased security. In Ubuntu Linux, all users are the equivalent of an LUA.
    ZDNet Gravatar
    Jack Fuller
    26th Sep 2008
  • What this is... and isn't
    That wouldn't matter at all. For what I've heard, the hijacker will not get passwords or files from your machine, and he will not control your machine.

    But instead he will force your browser to go to the links he wants when you click on one.
    Let's say you're at the google.com webpage. Under normal functioning, you click the "search" button and it will lead to the results page.
    If your clickjacked, when you click that same button, you'll go the link the hijacker want's, instead.

    Or, at least, it's what I've understood of the article.
    ZDNet Gravatar
    brunommateus@...
    29th Sep 2008
  • The problem is
    You have to already be at the hijackers site.
    If you leave it, and go to Google.com yourself
    instead, problem solved.
    ZDNet Gravatar
    AzuMao
    29th Sep 2008
  • Text or graphic?
    I don't see your point relative to this article.
    As it's put, you don't even need to have any visible content for this exploit to work. You could have text only links, and those can be shown as a single space at 0.1 point size...
    The crook only need to have you navigate to his malicious site, or one that have been compromised, and the exploit will be triggered without any input on your part, even after you have left that site by whatever mean, even using the back browser button, short of terminating your browser AND severing your internet connection. (PULL the plug!)
    He can make you download, and install, anything, and force you to click any accept he want, without you ever seeing anything at all.
    ZDNet Gravatar
    Kualinar
    25th Sep 2008
  • in the wild?
    "Zero-day" means that the exploit was being used in the wild before a patch was released by vendors to fix it. Yet the only people mentioned by the article as knowing the details of the vulnerability are the researchers and the vendors they revealed it to. So, has this exploit been found in the wild or not? Is it an actual threat or just a theoretical one?
    ZDNet Gravatar
    lars_huttar@...
    25th Sep 2008
  • In the wild, not yet... maybe
    There is a proof of concept by some researchers.
    There are 1000's of criminals out there searching everywhere, full time, to find something such as this.
    So, as soom as something is found to NOT been impossible, the question is not:
    Will there be an exploit on that flaw?
    No, the question is:
    WHEN?
    ZDNet Gravatar
    Kualinar
    25th Sep 2008
  • Sounds like more fear mongering...
    just what we need too. More fear to keep you in a state of frenzied panic. Makes it easier to control you when you are scared and there are threats all around. devil
    ZDNet Gravatar
    Linux User 147560
    25th Sep 2008
  • I agree
    Many of the security experts are quickly sounding like the snake-oil salesmen of the past.

    Are they seriously suggesting that 'everyone' switch to a command line browser?!?!
    ZDNet Gravatar
    mikefarinha
    25th Sep 2008
  • Lynx
    My OS is Linux and I am not going to start using Lynx anytime soon. That's like one step forward and ten steps back, I've used lynx in the past, it's ok for browsing when you don't have a gui but what is the point? Just surf with a bit of discretion, much better.
    ZDNet Gravatar
    ethyrdude
    26th Sep 2008
  • They always leave out the affected OS
    How vulnerable is FireFox with NoScript running on Linux? I'll be really worried when someone can redirect that combo.
    ZDNet Gravatar
    Chad_z
    25th Sep 2008
  • If you would RTFA
    If you would RTFA you would have read this portion:
    The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It?s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.
    ZDNet Gravatar
    mikefarinha
    25th Sep 2008
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
Click Here
Click Here

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
Click Here