Is "clickjacking" the next threat?
Security experts have cancelled a talk at the OWASP Conference on critical security flaws in a number of web browsers and in web sites. Their reasons for doing so have caused a stir in the security community. One of the experts, Robert "RSnake" Hansen, explained their actions in a blog, where he claims that the vulnerabilities they uncovered were so serious that, acting on the principle of "responsible disclosure", they felt obliged to contact the vendors concerned before making them public.
The talk Hansen and his colleague Jeremiah Grossman had planned was entitled "Clickjacking". According to the description provided by Hansen and Grossman, a combination of the flaws they discovered would enable an attacker to make a user click on a virtually invisible, or only briefly visible, link instead of a legitimate one. This kind of weakness would be a goldmine for phishers and could provide a springboard for a host of other attacks. One of the problems, writes Grossman, concerns "web sites in general". However, because it would be impossible to wait for every web site to make an update, they are trying to get the flaws fixed by the browser vendors. The problem of "clickjacking", says the blog, is actually fairly well known, but under-appreciated.
An official announcement made by the conference organiser initially stated that the talk had been "suppressed". The wording in Grossman's blog, which says that the talk was postponed "by vendor request" is reminiscent of incidents such as the Cisco vs. Michael Lynn case. In 2005, the hardware giant took legal action against a BlackHat talk that made reference to its IOS router software. Hansen emphatically denies this view and maintains that the decision to withdraw the presentation was their own.
Hansen and Grossman say that they have already contacted industry majors such as Microsoft – IE8 is thought to be one of the browsers affected – and Adobe in an effort to find a solution to the problem. In a company blog, Adobe admits that one of its products is affected and says it is working on a fix.
The two security specialists are well known figures in the industry. Last year, they discovered a vulnerability in Firefox that allowed attackers to read a browser's web history. Hansen also organized a competition at the beginning of the year for the shortest XSS worm.
- Clickjacking, Blog entry from Robert Hansen
- (Cancelled) / Clickjacking - OWASP AppSec Talk, Blog entry from Jeremiah Grossman