Researchers reveal 'clickjacking' attack info

The security researchers who two weeks ago warned of new "clickjacking" vulnerabilities in browsers, websites and popular plug-ins, have revealed a dozen variants of the bug.

Share

The security researchers who two weeks ago warned of new "clickjacking" vulnerabilities in browsers, websites and popular plug-ins, have revealed a dozen variants of the bug.

Robert Hansen, chief executive at SecTheory, said: "The list doesn't cover all the other kinds of plug-ins that are vulnerable, or all the browsers or all the websites. "The list got so long so fast that it was impossible to keep track of all the sub-issues."

"Clickjacking" is the new class of vulnerabilities that Hansen and fellow researcher Jeremiah Grossman, chief technology officer at WhiteHat Security , first mentioned during a New York security conference.

Hansen and Grossman had originally intended to present the bulk of their findings then, but agreed to withhold most of the information at the request of Adobe, which said it would quickly patch its software against clickjacking attack.

Early on Tuesday, however, Israeli researcher Guy Aharonovsky posted a proof-of-concept demonstration that uses clickjacking tactics to invisibly reset Adobe System 's Flash privacy settings, and secretly turn on the computer's webcam and microphone for remote spying.

With the cat out of the bag, Adobe gave Hansen and Grossman the go-ahead to get specific about their findings. Hansen then posted a list of 12 different clickjacking scenarios on his blog.

"There are multiple variants of clickjacking," Hansen said in the post. "Some require cross domain access, some don't. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't."

Of the dozen he spelled out, only two have been resolved. Adobe has not, for example, patched Flash against one of the clickjacking vulnerabilities Hansen and Grossman reported to the company. Adobe issued a security advisory message on Tuesday, however, with instructions on how to secure Flash against webcam and microphone hijacking in lieu of a patch.

"[Aharonovsky's] proof-of-concept was just a demonstration, but clickjacking can do all kinds of things," Hansen said. "If you think about the traditional web applications that have a 'Confirm' button or an 'Add a friend' button or any kind of single-button click, they're all going to be more vulnerable now."

"Recommended For You"

Google discloses Windows XP zero-day bug What is "clickjacking" and should you be concerned about it?