/>
X
Business

Firefox + NoScript vs Clickjacking

In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:Hi Ryan,I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
Written by Ryan Naraine, Contributor on
Firefox + NoScript vs Clickjacking
In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:

Hi Ryan,

I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

I had access to detailed information about how this attack works and I can tell you the following:

  1. It's really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) -- see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the "Plugins|Forbid <IFRAME>" option.

Cheers, Giorgio

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue.  In a nutshell, I was told that it's indeed "very, freaking scary" and "near impossible" to fix properly.

Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

Editorial standards

Related

These are my 5 must-have devices for work travel now
ipad-mini-firewalla-purple-macbook-air

These are my 5 must-have devices for work travel now

What is ChatGPT and why does it matter? Here's what you need to know
chat bot

What is ChatGPT and why does it matter? Here's what you need to know

Stack Overflow temporarily bans answers from OpenAI's ChatGPT chatbot
Developers discussing something on a laptop

Stack Overflow temporarily bans answers from OpenAI's ChatGPT chatbot