"Clickjacking" poses major web browser threat

Share this article:

“Clickjacking” has the potential to affect users of nearly all internet browsers. 

Clickjacking occurs when an attacker places an invisible button under an internet user's mouse pointer just above the viewable content of the web page, Jeremiah Grossman, founder and CTO of WhiteHat Security, said in an email to SCMagazineUS.com Monday.

The attacker then waits for the user to mistakenly click the button, which can be placed anywhere on any website, Grossman said.


Once the user has clicked the infected button, they unknowingly can be forced into actions not otherwise intended, he said.


Grossman and Robert "RSnake" Hansen, founder and of CEO SecTheory, shared their findings on the topic last week at the Open Web Application Security Project (OWASP) conference in New York. One of the findings they did not include, however, was a proof-of-concept example using an Adobe product. Grossman could not divulge details, only saying it was found to be “critical.”



Adobe asked for more time to remediate the problem before public disclosure.


In an advisory, US-CERT said: "Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page."


No fix is available.

"All of the browsers that people use on a day-to-day basis are vulnerable," Hansen told SCMagazineUS.com Monday.

Grossman gave an example of clickjacking: “Let's say a user is visiting a social network profile or any web page where an attacker's code is resident. When the user attempts to click on something, they mistakenly are clicking on a bank wire transfer, DSL router, advertising banner, or Digg, etc., button. While these are mostly harmless examples, the potential risk only goes up from there,” he said.


Grossman and Hansen said they have been researching clickjacking in depth since the middle of the year. 

“Clickjacking is a well-known issue, but severely underappreciated and largely undefended, and we hope to begin changing that perception,” Grossman wrote in his blog.


In an entry on the Adobe Product Security Incident Response Team (PSIRT) blog dated Sept. 15, David Lenoe, of the Secure Software engineering team at Adobe thanked Grossman and Hansen for bringing the issue to Adobe's attention.


“While they saw this issue as primarily a web browser issue, they showed us that one of their demos included an Adobe product," he wrote. "We worked together with Robert and Jeremiah to assess the impact of this issue, and they determined that it was in our customers' best interest to refrain from making this issue public until Adobe and web browser vendors have a chance to provide a fix or fixes to our mutual customers."


Of the spread of this type of attack, Grossman said, “It is unknown if the underground has added clickjacking to their arsenal,” and added that it would be difficult to tell if they have.

"It might not be the most attractive option at an attacker's disposal," Hansen said. "There are other, easier exploits out there."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.