Popular browsers continue to be vulnerable to clickjacking attacks - Updated
A demo released by security expert Aditya K Sood shows once again that the browser manufacturers still haven't found a cure for the type of attack that became known as clickjacking last year. The term clickjacking refers to attacks where malformed web pages place items like a transparent iFrame under the mouse pointer. Thinking they are clicking on some item on the page, users click on the elements contained in the iFrame instead, for example on the buttons of a router's web interface that change settings or initiate actions.
Sood's demo, which was originally only intended to demonstrate that Google's Chrome browser is vulnerable to clickjacking, works in a similar way. However, the demo also functions in the current version of Firefox. It demonstrates how the browser initially shows the correct URL, in this case yahoo.com, in the status bar when the mouse hovers over a link, but how clicking on the link actually calls xxsed.com, a cross-site scripting database. This could be exploited for phishing attacks.
In a short test by the heise Security team, the ClearClick anti-clickjacking feature contained in the NoScript plug-in for Firefox blocked the attack, and the browser called yahoo.com as intended. NoScript issued no warning about the attack, however. A new test showed that only blocking JavaScript can protect the user. Once you run with scripts allowed, the demo does work despite having activated ClearClick protection. NoScript obviously does not appear to recognize all variants of Clickjacking.
While Internet Explorer is generally also vulnerable to clickjacking attacks, Sood's demo doesn't work with this browser. Microsoft plans to incorporate an anti-clickjacking feature in version 8 of Internet Explorer - the feature is already contained in the release candidate. According to browser experts, however, it only offers passive protection that relies on website developers sending a particular header to the browser to avoid the clickjacking of buttons.
Giorgio Maone, the developer of NoScript, says that this added header is "X-FRAME-OPTIONS: DENY". If a page doesn't contain this header, the protective feature doesn't work. As it is unlikely that all of the web server operators and web interface developers will incorporate the proprietary header in the near future, the anti-clickjacking feature in Internet Explorer 8 is essentially ineffective.
Update: According to Giorgio Maone, the NoScript developer, the demo is not a Clickjacking attack. In a comment he wrote: "That's not Clickjacking by any stretch of imagination, and hardly malicious: you just get on a "surprise" destination, but nothing more since it can't do any of the cross-site evils (e.g. bypassing CSRF protection) of the real thing."
See also:
- Clickjacking: any click could be the fatal click, a heise UK report
- First release candidate of Internet Explorer 8 available, a heise UK report
(crve)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
