Clickjacking: any click could be the fatal click
An apparently harmless click in a browser window is all it takes to allow criminals to access your computer. Flash developer Guy Aharonovsky has released a demo with which users can unknowingly change their Flash Player settings, allowing attackers to access their microphone and webcam. The demo exploits weaknesses in current browser versions and Adobe’s Flash Player Settings Manager.
This attack, known as 'clickjacking' or 'UI redressing', represents just one example of a much larger problem. Back in mid-September, security specialists Jeremiah Grossmann and Robert "RSnake" Hansen hinted that a whole range of browsers and web sites were vulnerable to clickjacking attacks, in which attackers persuade users to click "on something only barely or momentarily noticeable" rather than legitimate links. A presentation planned for the OWASP conference was cancelled at the last minute because the vulnerabilities discovered were considered so serious that talks with the affected vendors were deemed necessary before publication.
Israeli browser security specialist Aviv Raff has also released a clickjacking demo, in which a user clicking on an apparently innocent web site is registered as one of Raff's followers on Twitter.
Protection against clickjacking is offered by version 188.8.131.52 of Firefox plugin NoScript. The new ClearClick function makes hidden, transparent or otherwise disguised dialogue boxes or frames visible when clicked. Users can then decide whether or not they really wish to activate the option in the dialogue box.
- Malicious camera spying using ClickJacking, report from Guy Aharonovsky
- Clickjacking Details, report from Robert Hansen
- Flash Player workaround available for "Clickjacking" issue, report from Adobe
- Hello ClearClick, Goodbye Clickjacking!, report on hackademix.net