Researchers warn of 'clickjacking' threat
Researchers have begun publishing details of a new type of attack called 'clickjacking', which can lead users to malicious websites by tricking them into clicking on unseen elements in a web browser.
Jeremiah Grossman, chief technology officer of White Hat Security, and SecTheory chief executive Robert Hansen, began publicly discussing their research into what they call clickjacking, following the public release of a proof-of-concept exploit by another researcher.
Clickjacking is a set of different techniques for disguising elements such as dialogue boxes and links, so that the user can be fooled into changing security settings or visiting malicious websites, Grossman and Hansen said.
While the concepts associated with clickjacking are not new, the two researchers said the specific vulnerabilities they discovered affect an unusually broad range of software, namely Adobe Flash Player along with widely used browsers such as Internet Explorer, Opera, Firefox and Safari.
"There are multiple variants of clickjacking," Hansen wrote in a blog post. "Some of it requires cross-domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."
Grossman and Hansen were scheduled to give a presentation on clickjacking at the Open Web Application Security Project (OWASP) NYC AppSec conference in New York in September, but cancelled the presentation to allow software makers to develop patches.
On Tuesday, however, security researcher Guy Aharonovsky released a clickjacking demonstration after reverse-engineering some of the security issues discovered by Grossman and Hansen.
This gave Grossman and Hansen the green light to begin discussing their discoveries, according to Hansen.
The discovery "essentially spilled the beans regarding several of the findings that were most concerning", Hansen wrote. "Thankfully, Adobe has been working on this since we let them know, so despite the careless disclosure, much of the work to mitigate this on their end is already complete."
Also on Tuesday, Adobe released a workaround addressing the specific vulnerabilities demonstrated by Aharonovsky. Adobe is preparing a patch that will address more of Grossman and Hansen's concerns.
In his blog post, Hansen detailed several variant vulnerabilities involving the way Flash Player interacts with web browsers, including problems with the Flash Player security settings manager and various techniques for making Flash Player elements opaque or covering them up with browser elements.
The specific problem detailed by Aharonovsky involves manipulation of Flash Player's Settings Manager and allows the player's security to be turned off. An attacker could use the attack to, for instance, gain control of a system's camera and microphone, Aharonovsky said.
Other types of clickjacking attacks could have more serious effects, such as cross-site request forgery (CSRF) or disguising malicious links, according to Hansen, who detailed eight separate clickjacking security issues on his blog.
Hansen said that an upcoming release of Flash Player will address most of his concerns, though some may require patches for affected browsers.
Grossman has said he will speak about clickjacking issues at the Hack in the Box conference in Kuala Lumpur, Malaysia, later this month.