In association with heise online

08 October 2008, 14:55

Clickjacking: any click could be the fatal click

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

An apparently harmless click in a browser window is all it takes to allow criminals to access your computer. Flash developer Guy Aharonovsky has released a demo with which users can unknowingly change their Flash Player settings, allowing attackers to access their microphone and webcam. The demo exploits weaknesses in current browser versions and Adobe’s Flash Player Settings Manager.

In order to get users to click on specific settings, it passes itself off as a JavaScript game in which users have to click on an object. By changing the z-index, it moves the Flash Player Settings Manager, which has been opened in an IFrame, to the foreground and the main window to the background. The IFrame remains, however, invisible, so that the user does not realise that he is actually clicking on the Flash Player settings window.

Adobe has meantime revised the "Flash Player Settings Manager" web site, so that Aharonovsky’s demo no longer works. A YouTube video, however, illustrates the problem. According to Aharonovsky, disabling JavaScript does not remedy the problem, since the attack can also be implemented in Flash, Java, Silverlight or DHTML.

This attack, known as 'clickjacking' or 'UI redressing', represents just one example of a much larger problem. Back in mid-September, security specialists Jeremiah Grossmann and Robert "RSnake" Hansen hinted that a whole range of browsers and web sites were vulnerable to clickjacking attacks, in which attackers persuade users to click "on something only barely or momentarily noticeable" rather than legitimate links. A presentation planned for the OWASP conference was cancelled at the last minute because the vulnerabilities discovered were considered so serious that talks with the affected vendors were deemed necessary before publication.

Aharonovsky says his idea came from Hansen and Grossmann's hints and his demo means that major details are now publicly known. Hansen has consequently decided to give further details on clickjacking attacks on his blog. He lists a total of twelve problems in Flash, Internet Explorer 8, the NoScript plugin and browsers and JavaScript in general. To date, the only vulnerabilities to have been fixed are those in the Flash Player Settings Manager and NoScript. Adobe provides general information on mitigating the problem in Flash Player.

Israeli browser security specialist Aviv Raff has also released a clickjacking demo, in which a user clicking on an apparently innocent web site is registered as one of Raff's followers on Twitter.

Protection against clickjacking is offered by version of Firefox plugin NoScript. The new ClearClick function makes hidden, transparent or otherwise disguised dialogue boxes or frames visible when clicked. Users can then decide whether or not they really wish to activate the option in the dialogue box.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit