ClickJacking has recently been getting lots of media attention. Security Researchers Robert Hansen (”RSnake”) and Jeremiah Grossman planned to give a talk outlining this vulnerability at OWASP AppSec, but the talk was cancelled. At this point, some details have come to light. The specifics of the attack may vary. Some variants require JavaScript, Flash, cross-domain access, IFRAMEs, overlays, or a combination of these.

The attack starts with a malicious web page that may have some unintended consequences. Objects embedded in the page may capture mouse clicks and direct them to a hidden target. Hijacked clicks from users may be used in many ways, including deleting mail, advertisement click fraud, or other, more sinister actions. A demo page demonstrating one possible variation (reads images from a webcam without knowledge of the user) can be seen at the following URL:

http://guya.net/security/clickjacking/game.html

Unfortunately, there is no quick and easy fix. Firefox users using the NoScript plugin will thwart the majority of these attacks (make sure you are using version 1.8.1.9 or later!). We will continue to monitor this vulnerability and provide an update when more information is available.

This entry was posted on Friday, October 10th, 2008 at 10:32 pm.

Share This Link with Others| ClickJacking Attacks SlashDot | del.ico.us | Digg it | Technorati | Reddit |

Other SecureWorks Blog Categories: Events (1) General (27) Links (7) Phishing (3) Research (90) Spam (1) Trojans (5)