“Clickjacking” has the potential to affect users of nearly all internet browsers.
Clickjacking occurs when an attacker places an invisible button under an internet user's mouse pointer just above the viewable content of the web page, Jeremiah Grossman, founder and CTO of WhiteHat Security, said in an email to SCMagazineUS.com Monday.
The attacker then waits for the user to mistakenly click the button, which can be placed anywhere on any website, Grossman said.
Once the user has clicked the infected button, they unknowingly can be forced into actions not otherwise intended, he said.
Grossman and Robert "RSnake" Hansen, founder and of CEO SecTheory, shared their findings on the topic last week at the Open Web Application Security Project (OWASP) conference in New York. One of the findings they did not include, however, was a proof-of-concept example using an Adobe product. Grossman could not divulge details, only saying it was found to be “critical.”
Adobe asked for more time to remediate the problem before public disclosure.
In an advisory, US-CERT said: "Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page."
No fix is available.
"All of the browsers that people use on a day-to-day basis are vulnerable," Hansen told SCMagazineUS.com Monday.
Grossman gave an example of clickjacking: “Let's say a user is visiting a social network profile or any web page where an attacker's code is resident. When the user attempts to click on something, they mistakenly are clicking on a bank wire transfer, DSL router, advertising banner, or Digg, etc., button. While these are mostly harmless examples, the potential risk only goes up from there,” he said.
Grossman and Hansen said they have been researching clickjacking in depth since the middle of the year.
“Clickjacking is a well-known issue, but severely underappreciated and largely undefended, and we hope to begin changing that perception,” Grossman wrote in his blog.
In an entry on the Adobe Product Security Incident Response Team (PSIRT) blog dated Sept. 15, David Lenoe, of the Secure Software engineering team at Adobe thanked Grossman and Hansen for bringing the issue to Adobe's attention.
“While they saw this issue as primarily a web browser issue, they showed us that one of their demos included an Adobe product," he wrote. "We worked together with Robert and Jeremiah to assess the impact of this issue, and they determined that it was in our customers' best interest to refrain from making this issue public until Adobe and web browser vendors have a chance to provide a fix or fixes to our mutual customers."
Of the spread of this type of attack, Grossman said, “It is unknown if the underground has added clickjacking to their arsenal,” and added that it would be difficult to tell if they have.
"It might not be the most attractive option at an attacker's disposal," Hansen said. "There are other, easier exploits out there."