Google working on fix for clickjacking vulnerability in Chrome

Share this article:
In the same week that Microsoft detailed plans to implement anti-clickjacking capabilities in Internet Explorer 8 (IE8), a proof-of-concept (PoC) clickjacking exploit for Google Chrome emerged.
 
Researcher Aditya Sood published the Chrome clickjacking vulnerability PoC on Wednesday. He said he was impressed that Microsoft attempted to fix the clickjacking issue in IE8 and this drove him to examine whether the problem exists elsewhere.

“The motto behind the release of vulnerabilities is to develop and design a highly efficient browser for the users,” Sood, founder of SecNiche Security, told SCMagazineUS.com on Friday.

Clickjacking occurs when an attacker places an invisible button just above the viewable content of the web page. The attacker then waits for the user to mistakenly click the button. Once the user has clicked the infected button, they unknowingly can be forced into actions not otherwise intended.

Google said in a statement that it was working on a permanent fix.

“The issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser,” the company said. “We are working with other stakeholders to come up with a standardized long-term mitigation approach.”

To avoid the possibility of clickjacking, users should remember to log out of all websites when they are finished and to periodically delete their cookie files to ensure proper logout.

To lessen the potential dangers to clickjacking, use version 10 of Adobe Flash and if browsing with Firefox, install the NoScript plugin, said Jeremiah Grossman, founder and CTO of web security firm WhiteHat Security.

Grossman and fellow researcher Robert "RSnake" Hansen last year demonstrated a clickjacking PoC using Adobe Flash. The pair was among the first to convey the severity of the clickjacking threat, saying it can affect all major web browsers.

Soon after, Adobe patched the flaw, which could have given an attacker access to a victim's webcam and microphone.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.