Google working on fix for clickjacking vulnerability in Chrome

Share this article:
In the same week that Microsoft detailed plans to implement anti-clickjacking capabilities in Internet Explorer 8 (IE8), a proof-of-concept (PoC) clickjacking exploit for Google Chrome emerged.
 
Researcher Aditya Sood published the Chrome clickjacking vulnerability PoC on Wednesday. He said he was impressed that Microsoft attempted to fix the clickjacking issue in IE8 and this drove him to examine whether the problem exists elsewhere.

“The motto behind the release of vulnerabilities is to develop and design a highly efficient browser for the users,” Sood, founder of SecNiche Security, told SCMagazineUS.com on Friday.

Clickjacking occurs when an attacker places an invisible button just above the viewable content of the web page. The attacker then waits for the user to mistakenly click the button. Once the user has clicked the infected button, they unknowingly can be forced into actions not otherwise intended.

Google said in a statement that it was working on a permanent fix.

“The issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser,” the company said. “We are working with other stakeholders to come up with a standardized long-term mitigation approach.”

To avoid the possibility of clickjacking, users should remember to log out of all websites when they are finished and to periodically delete their cookie files to ensure proper logout.

To lessen the potential dangers to clickjacking, use version 10 of Adobe Flash and if browsing with Firefox, install the NoScript plugin, said Jeremiah Grossman, founder and CTO of web security firm WhiteHat Security.

Grossman and fellow researcher Robert "RSnake" Hansen last year demonstrated a clickjacking PoC using Adobe Flash. The pair was among the first to convey the severity of the clickjacking threat, saying it can affect all major web browsers.

Soon after, Adobe patched the flaw, which could have given an attacker access to a victim's webcam and microphone.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ShellShock vulnerability exploited in SMTP servers

Researchers at Trend Micro found that attackers were targeting Simple Mail Transfer Protocol (SMTP) servers to execute malicious code and an IRC bot.

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.