/>
X
Business
Home Business Enterprise Software

Firefox + NoScript vs Clickjacking

In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:Hi Ryan,I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
Written by Ryan Naraine, Contributor on
Firefox + NoScript vs Clickjacking
In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:

Hi Ryan,

I've seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].

I had access to detailed information about how this attack works and I can tell you the following:

  1. It's really scary
  2. NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) -- see this comment by Jeremiah Grossman himself.
  3. For 100% protection by NoScript, you need to check the "Plugins|Forbid <IFRAME>" option.

Cheers, Giorgio

I also received private confirmation from a high-level source at an affected vendor about the true severity of this issue.  In a nutshell, I was told that it's indeed "very, freaking scary" and "near impossible" to fix properly.

Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

Editorial standards
Show Comments

Related

Apple's latest bug fixes for the iPhone and iPad

Apple issues emergency security updates for iPhone, iPad, and Apple Watch

Microsoft front of building in NYC

Everything Microsoft unveiled at its Surface and AI event this week

jellybeans-gettyimages-1225112436

How to better organize text messages on your iPhone, thanks to iOS 17