Flaw exposes Chrome, Firefox to clickjacking
Summary
Topics
Google has acknowledged the flaw and is working towards a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya K Sood.
Sood disclosed the flaw on January 27 and has since posted a proof of concept on the Bugtraq vulnerability-disclosure forum. "Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure.
While Google is working on a fix, a spokesperson for the Australian arm of the company pointed out that clickjacking affected all browsers, not just Chrome.
"The [clickjacking] issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardized long-term mitigation approach," they said.
However, chief executive of Australian security consultancy Novologica, Nishad Herath, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.
Google's security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google's spokesperson.
Clickjacking is a relatively new type of browser attack. The attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's web browser to send an HTTP request to a website of their choosing.
"Clickjacking means that any interaction you have with a website you're on, for example like clicking on a link, may not do what you expect it to do," said Herath.
"You may click on a link that looks like it's pointing to a picture on Flickr, but in reality, it might first direct you to a drive-by-download server that serves malware. These types of attacks can be used to make you interact with web services you're already logged on to in ways that you would never want to, without you even knowing that it has happened."
Credit: Chrome, Firefox get clickjacked was originally published on ZDNet Australia.
Just In
It is about time IE hasn't been caught with its pants down.
Who the hell's running IE8 as opposed to IE6? Your response means nothing.
Apply some semantics, throw in some mis-direction and he keeps a smile on Steve Monkey Boy's face, as he dances! :P
1. Firewall
2. Patch
3. Don't run as Admin all the time
It's that simple.
You need additional security tools now. You need at LEAST an anti-spyware utility in addition to your anti-virus, AND for true security, NoScript under Firefox.
As fro anti-virus software, you really don't need an active virus scanner if you have good habits. I surf all the places I like with IE in Vista and have never been attacked. I do run passive scans weekly to make sure I'm ok. Anti-spyware tools are good to have actively running.
So why do all these people suggest turning off js? Do they not use the web much?
PS: "IE does the same thing"
No it doesn't. You can disable Javascript for selected sites, or disable it completely and add exceptions. I don't recall if it gives you the option of blocking XSS, which is where the risk really lies.
That's not the same as what NoScript does. You have to use it to get an idea of how much better it is than the IE way. In addition, NoScript also blocks flash, XSS and iFrames, thus effectively almost eliminating the risk of clickjacking. It is possible to get infected with NoScript, if you disable it or allow untrusted sites to run Javascript. Again, clueless users= biggest malware risk.
After all: in its default configuration, it certainly is secure, but it gives little or no guidance for deciding which sites to allow. And since risky technologies like Javascript and Flash are overused and misused by web authors, the poor user is confronted with the responsibility for the decision, but deprived of the information needed to make.
That is why I say:it is not "clueless users" who are the problem, it is clueless or irresponsible web authors who are the problem.
I'd have to say it's a combination of both clueless users and clueless web authors/admins that likely cause 90% of the problems...
As a slightly OT aside.. WTF happened to ZDNet's log in mechanism today?
Of course there debate on how effective it will be.
Also, if you turn off scripting altogether, how can a cross site scripting attack do anything?
And a great IE add on IEPro blocks ads and Flash among a lot of other things: http://www.ie7pro.com/
And there's this:
I use FF 3.1 B3pre, a "test" version of the upcoming Firefox 3.1), and I do have NoScript, but noscript didn't interfere-- because the "hidden" page was totally unhidden, and shown in a completely separate tab.
With absolutely NO THANKS to the article, which didn't give us Sood's "demo" URL or the securityfocus announcement postlink, I tracked it down. Here:
http://www.secniche.org/gcr_clkj/
As a more competent security researcher already posted in reply at securityfocus.com, the "div" which opens the URL via everyday javascript consists of code which is ENTIRELY in the original page. This is *not* XSS!
There's many, many XSS vulnerabilities, both known and yet to be discovered/isolated, in "modern" browsers with script capabilities. But this isn't one of them. Sood seems to be screaming about the fact that javascript was able to open a page from a different site via
onmouseover="document.location='http://www.xssed.com'....
His page attempts to use a style to hide the page-- but in FF 3.1 this doesn't work (the attempted style is NOT within the DOM of the foreign page, and xssed.com is loaded in full size in a tab all by itself.
In short, he's whining about an everyday javascript statement. If he thinks that he can create a "demo" page which actually misleads a FF 3.1 into submitting something private via XSS, I'd sure like to see it! Otherwise, heck, just disable javascript and SHUT UP.
It's so, so typical of some for-profit "security consultancy" to hype, hype the fact that unreleased IE8 doesn't "have the problem", and to even run the test with TWO pre-release versions. (And yet he didn't bother to test FF3.1, or if he did, somehow didn't bother mentioning that it's invulnerable.) Sure smells like M$ Advertising and "Most-Valuable-Partner" were all over the hyping of this non-XSS so-called "XSS Vulnerability".
Just look at the source code of the demo page-- there's no XSS, the "scripting" is 100% within the parent page.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
