The premise of Clickjacking is that we know a lot about what JavaScript malware is capable of once a user comes in contact with an attacker-controlled webpage (or a page with their code on it) such as history stealing, intranet hacking, phishing with superbait, Web worms, browser exploit, and so on, but comparably little about what can be done with a captured “click”.

A safe example is the Konami code on Google Reader… Disturbing that it technically has to log your keystrokes for this to work? I tried it, it’s all true. Go to google reader, do up up down down left right left right b a [enter], and it happens.
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. What could they possibly do then?I bet I could re-engineer a floodlight tag and zombie the IP from my box… This approach could be infurther influenced by general browser attack techniques… With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky. Things also performed, with a fair amount of ingenuity, quite easily. It can involve Adobe Flash Player to execute remote code for vulnerabilities. An attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions. Symantec has observed that this issue is being actively exploited in the wild. some of these have been traced back to Chinese BlackHats…

Clickjacking in concept is a well-known issue, but severely under-appreciated and largely undefended, and some responsible hackers are hoping to begin changing that perception.
It leaves me feeling RickRolled !
The only fix so far is to disable browser scripting and plugins. I realize this doesn’t give people much technical detail to go on, but it’s the best I know right now.
Instead it will likely end up being a browser patch against every major browser. The idea of every webmaster in the world patching their own sites is simply unrealistic. Although I’m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere.

FlashBlock and GreaseMonkey doesnt seem to prevent anything and
NoScript is the best plug-in I know right now any thoughts?
when/if I have to use IE, I use the TurnFlash Off

This entry was posted on Thursday, September 25th, 2008 at 2:10 pm and is filed under Virus/Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.