"Clickjacking" poses major web browser threat

Share this article:

“Clickjacking” has the potential to affect users of nearly all internet browsers. 

Clickjacking occurs when an attacker places an invisible button under an internet user's mouse pointer just above the viewable content of the web page, Jeremiah Grossman, founder and CTO of WhiteHat Security, said in an email to SCMagazineUS.com Monday.
 

The attacker then waits for the user to mistakenly click the button, which can be placed anywhere on any website, Grossman said.

 

Once the user has clicked the infected button, they unknowingly can be forced into actions not otherwise intended, he said.

 

Grossman and Robert "RSnake" Hansen, founder and of CEO SecTheory, shared their findings on the topic last week at the Open Web Application Security Project (OWASP) conference in New York. One of the findings they did not include, however, was a proof-of-concept example using an Adobe product. Grossman could not divulge details, only saying it was found to be “critical.”

 

 

Adobe asked for more time to remediate the problem before public disclosure.

 

In an advisory, US-CERT said: "Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page."

 

No fix is available.
 

"All of the browsers that people use on a day-to-day basis are vulnerable," Hansen told SCMagazineUS.com Monday.

Grossman gave an example of clickjacking: “Let's say a user is visiting a social network profile or any web page where an attacker's code is resident. When the user attempts to click on something, they mistakenly are clicking on a bank wire transfer, DSL router, advertising banner, or Digg, etc., button. While these are mostly harmless examples, the potential risk only goes up from there,” he said.

 

Grossman and Hansen said they have been researching clickjacking in depth since the middle of the year. 

“Clickjacking is a well-known issue, but severely underappreciated and largely undefended, and we hope to begin changing that perception,” Grossman wrote in his blog.

 

In an entry on the Adobe Product Security Incident Response Team (PSIRT) blog dated Sept. 15, David Lenoe, of the Secure Software engineering team at Adobe thanked Grossman and Hansen for bringing the issue to Adobe's attention.

 

“While they saw this issue as primarily a web browser issue, they showed us that one of their demos included an Adobe product," he wrote. "We worked together with Robert and Jeremiah to assess the impact of this issue, and they determined that it was in our customers' best interest to refrain from making this issue public until Adobe and web browser vendors have a chance to provide a fix or fixes to our mutual customers."

 

Of the spread of this type of attack, Grossman said, “It is unknown if the underground has added clickjacking to their arsenal,” and added that it would be difficult to tell if they have.


"It might not be the most attractive option at an attacker's disposal," Hansen said. "There are other, easier exploits out there."

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.