Friday, September 26, 2008

Clickjacking

Clickjacking is not exactly unknown, though it is one of the few security threats for which there is almost no defense - at least according to Jeremiah Grossman and Robert Hansen, who discovered the "fundamental flaw" and planned to discuss it at the Open Web Application Security Project (OWASP) this week in New York.

"At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional 'exploits,' and that guarding against Clickjacking was largely the browser vendors' responsibility," writes Grossman, but once it was discovered that the same exploit can affect Adobe products, Adobe requested they cancel the discussion. Unfortunately, this means that no one outside "a few industry colleagues" (Grossman) know what, exactly, this means - or even is!

Clickjacking is an exploit which forces surfers to "click" on a URL, often hidden or partially visible only for a moment. While details are fuzzy, this much is clear: clickjacking is not a traditional redirect by any method (.htaccess, 301, etc.); if I understand correctly, in order for the user's browser to be clickjacked, the user must click on something on the affected page. The "jacking" comes in there, when the browser is directed to a URL the user/website had not intended as the target.

At this time, the exploit apparently affects all browsers, except very basic, text-based browsers (such as Lynx) - and at least one Adobe product. Grossman and company say the browser companies are at 0-day; they must correct the "fundamental flaw" within the software, as the only other option would be for all webmasters to update all websites (and, I assume, all pages within them)! Even then, browser manufacturers would still need to upgrade their coding.

© C Harris Lynn, 2008

2 comments:

Malditang Pinay said...

Hmmm... when you said all browsers are affected do you include Chrome, too? I've been using it since it came out. I felt more secure using it although it's got a few bugs.

ManoDogs said...

Hi Malditang, thanks for the comment.

As to your question, I honestly do not know. They have been tight-lipped about the matter (as I guess they should be), but Firefox released an update shortly after the announcement. I don't keep up with IE, but I assume all the browsers and companies are working to correct the problem.