Google working on fix for clickjacking vulnerability in Chrome

Share this article:
In the same week that Microsoft detailed plans to implement anti-clickjacking capabilities in Internet Explorer 8 (IE8), a proof-of-concept (PoC) clickjacking exploit for Google Chrome emerged.
 
Researcher Aditya Sood published the Chrome clickjacking vulnerability PoC on Wednesday. He said he was impressed that Microsoft attempted to fix the clickjacking issue in IE8 and this drove him to examine whether the problem exists elsewhere.

“The motto behind the release of vulnerabilities is to develop and design a highly efficient browser for the users,” Sood, founder of SecNiche Security, told SCMagazineUS.com on Friday.

Clickjacking occurs when an attacker places an invisible button just above the viewable content of the web page. The attacker then waits for the user to mistakenly click the button. Once the user has clicked the infected button, they unknowingly can be forced into actions not otherwise intended.

Google said in a statement that it was working on a permanent fix.

“The issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser,” the company said. “We are working with other stakeholders to come up with a standardized long-term mitigation approach.”

To avoid the possibility of clickjacking, users should remember to log out of all websites when they are finished and to periodically delete their cookie files to ensure proper logout.

To lessen the potential dangers to clickjacking, use version 10 of Adobe Flash and if browsing with Firefox, install the NoScript plugin, said Jeremiah Grossman, founder and CTO of web security firm WhiteHat Security.

Grossman and fellow researcher Robert "RSnake" Hansen last year demonstrated a clickjacking PoC using Adobe Flash. The pair was among the first to convey the severity of the clickjacking threat, saying it can affect all major web browsers.

Soon after, Adobe patched the flaw, which could have given an attacker access to a victim's webcam and microphone.
Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.