Researchers reveal 'clickjacking' attack info

The long list of vulnerabilities involves browsers, Web sites and plug-ins like Flash.

The security researchers who two weeks ago warned of new "clickjacking" vulnerabilities in browsers, Web sites and popular plug-ins, revealed a dozen variants of the bug Tuesday.

And that's just for starters, said Robert Hansen, founder and CEO of SecTheory. "The list doesn't cover all the other kinds of plug-ins that are vulnerable, or all the browsers or all the Web sites," Hansen said in an interview Wednesday. "The list got so long so fast that it was impossible to keep track of all the sub-issues."

On Tuesday, Hansen disclosed more information about "clickjacking," the new class of vulnerabilities that he and fellow researcher Jeremiah Grossman, the chief technology officer at WhiteHat Security, first mentioned during a semi-closed presentation at a New York security conference on Sept. 24. Hansen and Grossman had originally intended to present the bulk of their findings then, but agreed to withhold most of the information at the request of Adobe, which said it would quickly patch its software against clickjacking attack.

Early Tuesday, however, Israeli researcher Guy Aharonovsky posted a proof-of-concept demonstration that uses clickjacking tactics to invisibly reset Adobe System Inc.'s Flash privacy settings, and secretly turn on the computer's webcam and microphone for remote spying.

With the cat out of the bag, Adobe gave Hansen and Grossman the go-ahead to get specific about their findings. Hansen then posted a list of 12 different clickjacking scenarios on his blog.

"There are multiple variants of clickjacking," Hansen said in the post. "Some require cross domain access, some don't. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't."

Of the dozen he spelled out, only two have been resolved. Adobe has not, for example, patched Flash against one of the clickjacking vulnerabilities Hansen and Grossman reported to the company. Adobe issued a security advisory Tuesday, however, with instructions on how to secure Flash against webcam and microphone hijacking in lieu of a patch.

"[Aharonovsky's] proof-of-concept was just a demonstration, but clickjacking can do all kinds of things," Hansen said Wednesday. "If you think about the traditional Web applications that have a 'Confirm' button or an 'Add a friend' button or any kind of single-button click, they're all going to be more vulnerable now."

But he also said there's no reason to panic; clickjacking wouldn't make the Internet a much more dangerous place in the short term. "If we assume that the majority of Web applications are vulnerable to some exploit, and they are, then clickjacking is making things worse, but it's already so bad that it doesn't really matter," Hansen said.

"We made it very clear that we didn't feel that this was the end of the Earth," he continued. "However, that doesn't lessen the ultimate severity of problems like monitoring people remotely with webcams or getting people to transfer money from their bank accounts."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags clickjacking

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?