I was listening to a recent episode of Security Now where the guys were talking about Click Jacking. It’s a relatively new threat to emerge, plus since it’s browser based it’s completely OS/Browser independent – in fact it even goes as far as affecting Flash (although the latest update has blocked the threat from occurring).
It’s a remarkably simple exploit – in simple terms by using a combination of CSS and iFrames a ‘layer’ is placed over a legitimate site and when you think you’re clicking on a button you’re actually clicking on something on this ‘layer’. Before Flash was patched the threat even allowed a website to enable your webcam by ‘popping under’ the ‘Do you wish to give Flash access to your webcam’.
The threat gets even worse by playing on what we all do when we browse the internet, the old ‘remember me’ tick box or ‘Do you want Firefox to remember your password’ because it’s using a browser, any site that you’re logged into could be loaded ‘invisibly’ – eg, Facebook, Ebay, MySpace etc (which all have buttons in well known positions) and then a new layer of fake buttons loaded onto the page – there’s an example of such an exploit here www.snipurl.com/clickjack (It’s safe to visit) – it uses MySpace to demonstrate the threat but it does so extremely clearly.
So what can you do about it? Well if you’re using IE, Safari, Chrome (as of the time of writing) then there’s not actually a lot you can do except being vigilant about the sites you’re accessing and not using persistent login sessions to websites. If you’re a Firefox user then you’re in luck because the recently updated NoScript plugin is able to blanket protect you (even if you have script enabled – cos the web just ain’t the same with script disable) and remember this isn’t a Javascript exploit! Once installed go into the options for NoScript and enable the ‘Forbid <IFRAME>’ option (and probably enable JS, Flash, Silverlight whilst you’re there)
November 5th, 2008 at 4:52 pm
Pretty interesting stuff