Popular browsers continue to be vulnerable to clickjacking attacks - Updated
A demo released by security expert Aditya K Sood shows once again that the browser manufacturers still haven't found a cure for the type of attack that became known as clickjacking last year. The term clickjacking refers to attacks where malformed web pages place items like a transparent iFrame under the mouse pointer. Thinking they are clicking on some item on the page, users click on the elements contained in the iFrame instead, for example on the buttons of a router's web interface that change settings or initiate actions.
Sood's demo, which was originally only intended to demonstrate that Google's Chrome browser is vulnerable to clickjacking, works in a similar way. However, the demo also functions in the current version of Firefox. It demonstrates how the browser initially shows the correct URL, in this case yahoo.com, in the status bar when the mouse hovers over a link, but how clicking on the link actually calls xxsed.com, a cross-site scripting database. This could be exploited for phishing attacks.
While Internet Explorer is generally also vulnerable to clickjacking attacks, Sood's demo doesn't work with this browser. Microsoft plans to incorporate an anti-clickjacking feature in version 8 of Internet Explorer - the feature is already contained in the release candidate. According to browser experts, however, it only offers passive protection that relies on website developers sending a particular header to the browser to avoid the clickjacking of buttons.
Giorgio Maone, the developer of NoScript, says that this added header is "X-FRAME-OPTIONS: DENY". If a page doesn't contain this header, the protective feature doesn't work. As it is unlikely that all of the web server operators and web interface developers will incorporate the proprietary header in the near future, the anti-clickjacking feature in Internet Explorer 8 is essentially ineffective.
Update: According to Giorgio Maone, the NoScript developer, the demo is not a Clickjacking attack. In a comment he wrote: "That's not Clickjacking by any stretch of imagination, and hardly malicious: you just get on a "surprise" destination, but nothing more since it can't do any of the cross-site evils (e.g. bypassing CSRF protection) of the real thing."
- Clickjacking: any click could be the fatal click, a heise UK report
- First release candidate of Internet Explorer 8 available, a heise UK report