Security researches have raised an alarm over clickjacking: a new exploit to which Internet Explorer, Firefox, Chrome, Safari and just about every other popular browser is vulnerable. Jeremiah Grossman and Robert “RSnake” Hansen were scheduled to reveal details of the exploit at the Open Web Application Security Project (OWASP) last week, but voluntarily cancelled their presentation at the request of Adobe. While details of the vulnerability are somewhat scant at this point in time, there is nonetheless some information in the public domain.
What is clickjacking?
Grossman made the following comments in relation to the exploit: “Think of any button on any Web site, internal or external, that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”
IFRAME exploits (which is what this appears to be) are certainly nothing new and, on the face of it, clickjacking seems to simply be a new variation on a somewhat old theme. This is supported by Giorgio Maone, a security researcher and the creator of the NoScript add-on for Firefox who is aware of the details that Adobe asked to be kept under wraps. “Ironically, I’ve used for months a benign form of “clickjacking” on the NoScript download page to skip the security warning displayed by Firefox where an add-on installation is initiated from any web site other than mozilla.org,” commented Maone.
While clickjacking may not be an entirely new concept, it nonetheless represent a serious vulnerability that spans multiple browsers and, according to Maone, is almost certainly now being exploited in the wild.
Can you secure your browser against clickjacking?
According to Maone, “The only “modern” browser besides those supported by NoScript (Firefox, Seamonkey, Flock and a few other Mozilla-based products) that can be configured to fully prevent clickjacking is Opera. Even there, usability is not comparable to NoScript’s. IE, Safari and especially Chrome cannot be protected 100% and the protection you can get comes with unbearable usability costs.”
For users of Mozilla-based browsers such as Firefox, NoScript certainly represents the easiest and most secure solution; simply enabling the Plugins|Forbid option in NoScript will provide complete protection. Users of other browsers can follow the steps which Maone has outlined on his website to disable Javascipt, plug-ins/ActiveX and IFRAMEs but, as Maone points out, this will not provide complete protection against clickjacking and will impact of the usability of the browser.
For now, it would appear that the best and most secure solution is to start using a Mozilla-based browser and to install Giorgio Maone’s NoScript add-on (which, incidentally, is completely free).