Wednesday, October 29, 2008

Clickjacking: A security problem for all browsers.

At the moment of writing most browsers are still susceptible to clickjacking, but you can take steps to reduce the risk. But what is Clickjacking really?

Clickjacking allows an attacker to use one or more of several new attack scenarios to literally steal your mouse clicks. When you think you're clicking on a simple button — for example, to see the next page of an article — you may actually be giving the bad guys permission to do something entirely different, such as log on to your online checking account.

By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links. The problem doesn't stop there, however. At least some of the flaws that make clickjacking possible also show up in such popular Web tools as Adobe's Flash player and Microsoft's Silverlight streaming-media plug-in. If they can control where your clicks are going, they may be able to get a user to reconfigure the system so they disable security.
In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link.
Clickjacking isn't new. In fact, it dates back to at least 2002 or 2003.
What's new is the range of browser vulnerabilities that make clickjacking possible.
There are multiple variants of clickjacking. Some of it requires cross domain access, some doesn't. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF [Cross-Site Request Forging] to pre-load data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them. This doesn't mean there are no protections, however. In fact, one of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites. Disabling JavaScript has serious drawbacks, because so much of the Web's interactivity is driven by JavaScript apps. And even browsing with JavaScript disabled will not protect against all possible avenues of attack. Most browsers are vulnerable.
Besides browsers, the bad guys can also exploit Web programs such as Adobe's Flash player. For instance, one proof-of-concept demonstration shows that a hacker can use the Flash player to take over a PC's webcam and microphone. Imagine the implications of stalkers eavesdropping on your laptop's built-in camera and mic. Clickjacking vulnerabilities don't stop there; attacks may also be launched via iFrames by using cross-site scripting techniques.So disabling browser plug-ins and scripting will help but is no panacea, given the threat's complexity.

Can you stay safe in a clickjacking internet connected world?

Browser and plug-in vendors have joined organizations in describing what you can do to stay safe. Adobe, the Mozilla Foundation and Microsoft has several webpages up describing several precautions or solutions. Even taking all these precautions doesn't guarantee that your system is 100% immune to the new threat. You'll need to become more conservative in visiting untrustworthy sites until the applications you use are made more secure.
While we're all waiting for vendors to patch their products and when in doubt, ask yourself whether your mother would approve of the site. However, even on sites where you could reasonably expect to be safe from such attacks, you can still be blindsided, so always think twice before you click.

However I stay optimistic. While the threat of attack may be high for the next three to six months, I expects more complete protections to become available within the same timeframe.