News Stay informed about the latest enterprise technology news and product updates.

Clickjacking details released after attack proof-of-concept emerges

Security researchers released details of the clickjacking attacks, warning of the seriousness of the problem because they have discovered multiple variants on the Web.

The details of the so-called clickjacking attacks have been released, and it turns out the class of problems affect a wide range of software, including Adobe Flash, Internet Explorer 8 and Firefox.

"It's not a simple patch. It's probably a re-architecting of the browser security model. ... It's something that affects everyone."
Jeremiah Grossman, Chief Technology Officer, White Hat Security Inc.

The attacks, which were first were disclosed late last month, enable attackers to employ a number of methods to trick users into clicking on malicious links, including overlaying entire pages, using malicious iFrames and even turning off the security protections in Flash entirely. The vendors whose products are affected by the attacks are at various points in the remediation process, but the researchers who discovered the attacks released the details Tuesday night after a proof-of-concept of one of the attacks hit the Web.

Robert Hansen, an application security researcher who discovered the attacks along with Jeremiah Grossman, chief technology officer of WhiteHat Security Inc., wrote in a blog post detailing the clickjacking attacks that there are a number of different ways to accomplish clickjacking, and not all of the methods rely on JavaScript or cross-site request forgery (CSRF).

"First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot," Hansen wrote. "Some requires JavaScript, some doesn't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

The basic idea behind clickjacking is that it allows attackers to force Web users to click on a malicious link when they think they're clicking on something completely benign. For example, in one of the scenarios that Hansen and Grossman described, an attacker could construct a malicious Web page designed to install a rootkit or other malware on a user's PC and then overlay that entire page with a harmless-looking page, say one that has a Flash-based game on it. As the user clicks on the various links and buttons on the page, he is in fact clicking on hidden links controlled by the attacker.

Hansen and Grossman also discovered ways in which the attacks can be used to silently take control of a webcam or microphone installed on a victim's machine.

Many of the issues that the researchers identified involve the use of Flash. There are separate problems with Flash in Firefox on Mac OS X and Flash in a beta version of IE 8. Adobe is in the process of addressing the Flash vulnerabilities in its upcoming release of Flash 10, Hansen wrote in his post, and Mozilla already fixed a problem with its NoScript plug-in in the latest releases of the add-on.

In an interview about the attacks before the details were released, Grossman said that although the kind of methods they used were known previously, their potential had been discounted.

"This issue has been long known. The Web security community knows about it," Grossman said. "But it has been for the most part underestimated as far as its potential impact. The browser vendors know what the problem is. But they don't know how or if they're going to address it. It's not a simple patch. It's probably a re-architecting of the browser security model. It's not just an Adobe bug. It's something that affects everyone."

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.