Chrome, Firefox get clickjacked

Chrome, Firefox get clickjacked

Summary: Security researchers have discovered a flaw affecting Google's Chrome browser which exposes it to clickjacking — where an attacker hijacks a browser's functions by substituting a legitimate link with one of the attacker's choice.

TOPICS: Google, Browser

Security researchers have discovered a flaw affecting Google's Chrome browser which exposes it to clickjacking — where an attacker hijacks a browser's functions by substituting a legitimate link with one of the attacker's choice.


(Credit: Google)

Google has acknowledged the flaw and is working towards a patch for Chrome versions and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya K Sood.

Sood disclosed the flaw on 27 January and has since posted a proof of concept on the Bugtraq vulnerability disclosure forum.

"Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure.

While Google is working on a fix, a spokesperson for the Australian arm of the company pointed out that clickjacking affected all browsers, not just Chrome.

"The [clickjacking] issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardised long-term mitigation approach," they said.

However, independent security researcher, CEO of Australian security consultancy Novologica, Nishad Herath, told that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.

Google's security researchers had not found any attacks in the wild which exploited the specific vulnerability, said Google's spokesperson.

Clickjacking is a relatively new browser attack which security researchers Robert Hansen and Jeremiah Grossman gave a talk on late last year at the Open Web Application Security Project (OWASP) security conference in New York. The attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's web browser to send an HTTP request to a website of their choosing.

"Clickjacking means that any interaction you have with a website you're on, for example like clicking on a link, may not do what you expect it to do," explained Herath.

"You may click on a link that looks like it's pointing to a picture on Flickr, but in reality, it might first direct you to a drive-by-download server that serves malware. These types of attacks can be used to make you interact with web services you're already logged onto in ways that you would never want to, without you even knowing that it has happened."

Topics: Google, Browser

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • NoScript

    The NoScript plugin for Firefox protects from clickjacking. See

  • Where are the Firefox fanboys now??

    All hiding behind their super dooper secure browsers ay. Serves them right for believing in blogosphere hogwash just for the sake of looking cool among their peers.

    Suck eggs boys and girls. How good is your browser now?
  • I'm here,,,we are here

    Don't see the point of the comment. Are you paid by Microsoft to post dim comments. All software has issues (recent IE zero day flaw for instance - a bit more damaging than this). The fact that I have a choice is fine by me. IE should be unbundled from the OS (I back the Europeans).
  • Only a Windows issue...

    Of course this only occurs on the malware magnet known as MS Windows.

    I already know that there are malware laden bootleg copies of OSX apps in the wild, but that's what a script kiddie has to do to break the OSX security.

    Of course I use GNU/Linux at home, so I know I'm protected.
  • So humourous

    So, you're basically saying that firefox is a bad browser because of a clickjacking bug? Get with the times mate. The reason most people like firefox is because it's secure (clickjacking can hardly read your banking passwords now can it?) and of course it is a web standards compliant browser, which us web developers love. I don't see IE embracing web standards, and the "compatibility" mode in IE8 just introduces another non-standard tag for the sake of IE.

    Wake up mate, and sorry to steal your candy!
  • Right here

    We're smugly using the NoScript add on, which offers a level of protection.

    But thanks for your concern.
  • I'll save my eggs

    to throw back in your face when the FF community fixes the flaw within a few days, as opposed to the few months it usually takes to fix similar problems with IE.

    So back under your bridge, troll!
  • NoScript... a very good, constantly updated plug-in. Like a good firewall, it throws up a lot of "Allow/Disallow" messages, but considering the current situation with click-jacking, I consider it worth the minor annoyance. Firefox users should definitely install NoScript.
  • Uncle Steve

    Pretty darn good actually! As Anon stated noscript is working fine and so is adblock and firebug for that matter. Thanks for asking :)
    How's that ActiveX thing working out for you by the way?
    Oh... did I just feed a troll? Oh well I guess we all have to eat.
  • FF Fanboy

    The NoScript extension makes FF secure from clickjacking and other scripting nasties.
  • nono

    haha very nice
  • x0x

    Only funny, this job is funny for me :)

    This my exploit ;

    My Home is
    my Personal Page is