Google working on fix for clickjacking vulnerability in Chrome

Share this article:
In the same week that Microsoft detailed plans to implement anti-clickjacking capabilities in Internet Explorer 8 (IE8), a proof-of-concept (PoC) clickjacking exploit for Google Chrome emerged.
 
Researcher Aditya Sood published the Chrome clickjacking vulnerability PoC on Wednesday. He said he was impressed that Microsoft attempted to fix the clickjacking issue in IE8 and this drove him to examine whether the problem exists elsewhere.

“The motto behind the release of vulnerabilities is to develop and design a highly efficient browser for the users,” Sood, founder of SecNiche Security, told SCMagazineUS.com on Friday.

Clickjacking occurs when an attacker places an invisible button just above the viewable content of the web page. The attacker then waits for the user to mistakenly click the button. Once the user has clicked the infected button, they unknowingly can be forced into actions not otherwise intended.

Google said in a statement that it was working on a permanent fix.

“The issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser,” the company said. “We are working with other stakeholders to come up with a standardized long-term mitigation approach.”

To avoid the possibility of clickjacking, users should remember to log out of all websites when they are finished and to periodically delete their cookie files to ensure proper logout.

To lessen the potential dangers to clickjacking, use version 10 of Adobe Flash and if browsing with Firefox, install the NoScript plugin, said Jeremiah Grossman, founder and CTO of web security firm WhiteHat Security.

Grossman and fellow researcher Robert "RSnake" Hansen last year demonstrated a clickjacking PoC using Adobe Flash. The pair was among the first to convey the severity of the clickjacking threat, saying it can affect all major web browsers.

Soon after, Adobe patched the flaw, which could have given an attacker access to a victim's webcam and microphone.
Share this article:

Sign up to our newsletters

More in News

EFF intros wireless router software to boost industry standard

EFF intros wireless router software to boost industry ...

This weekend, the digital rights group released a "hacker alpha" version of its Open Wireless Router software.

Breaches driving organizational security strategy, survey indicates

Breaches driving organizational security strategy, survey indicates

CyberArk interviewed 373 IT security executives and other senior management in North America, Europe and the Asia-Pacific as part of its eighth annual Global Advanced Threat Landscape survey.

Siemens industrial products impacted by four OpenSSL vulnerabilities

The vulnerabilities can be exploited remotely, and fairly easily, by an attacker to hijack sessions and crash the web server of the product.