Browser attack technique poses serious threat |
 |
By Dennis Fisher, Executive Editor
25 Sep 2008 | SearchSecurity.com |
|
|
A pair of application-security experts have found that a known browser attack technique has more far-reaching implications than previously thought, and say that attackers using the technique can force users to click on essentially any content they choose.
|
|
|
|
|
This issue has been long known. The Web security community knows about it ... But it has been for the most part underestimated as far as its potential impact.
Jeremiah Grossman,
chief technology officer, WhiteHat Security Inc.
|
|
|
|
|
|
|
|
|
|
"We can do this with any button on any page anywhere," said Jeremiah Grossman, chief technology officer of WhiteHat Security Inc., who, along with Robert Hansen, identified the serious implications of the technique recently. The pair had planned to deliver a talk on their findings at the Open Web Application Security Project (OWASP) conference in New York this week, but voluntarily canceled the presentation after showing their research to officials at Adobe Systems Inc., who became very concerned about the effect the attack could have on Adobe's customers.
The problem behind the technique, which Grossman and Hansen dubbed clickjacking, has been known for some time in the Web application security community. It is not a JavaScript issue, but instead involves the way in which browsers themselves function. The technique enables the attacker to dictate what links a user clicks on. However, the researchers found that the problems behind the attack are more widespread than security experts thought. Grossman and Hansen have been working with Adobe on the issue and also have spoken with Microsoft and Mozilla about how the attack affects browsers. But, there appears to be a general consensus that there is no easy fix.
"This issue has been long known. The Web security community knows about it," Grossman said. "But it has been for the most part underestimated as far as its potential impact. The browser vendors know what the problem is. But they don't know how or if they're going to address it. It's not a simple patch. It's probably a re-architecting of the browser security model. It's not just an Adobe bug. It's something that affects everyone."
Grossman said that he and Hansen, an independent security researcher, hope to release the details of their attack along with proof-of-concept code sometime soon, once Adobe has time to address the issue in its software. Grossman would not say which Adobe application the issue affects.
Although they decided not to deliver their original talk at OWASP this week, Grossman and Hansen gave a stripped-down version of the speech instead, omitting many of the details they had planned to include while still trying to get across the seriousness of the issue.
"The audience got the idea that this is bad, but we didn't talk about the specifics," Grossman said. "That will come later. The vendors thought they needed more time."
For the time being, the researchers suggested that concerned users start using Lynx, a text-only browser.
|
|
|
|
