Clickjacking: Potentially harmful Web browser exploit

TechRepublic's Paul Mah made first mention of clickjacking in a Security News Roundup in September 2008.

At that time, security researchers Robert Hansen, founder of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, weren't able to divulge a great deal about the vulnerability, as they were in talks with the major browser developers as well as Adobe.

What is clickjacking?
Clickjacking takes advantage of the fact that a Web page isn't just two-dimensional. Web pages have virtual depth, and that's where clickjacking lives. Clickjacking uses a vulnerability that allows code to be embedded on a Web page, changing how the Web page responds to input.

In the following quote by the researchers, one can see the extent and variations of clickjacking that are possible:

"First of all let me start by saying there are multiple variants of clickjacking. Some require cross domain access, some don't. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking doesn't cover any one of these use cases, but rather all of them. That's why we had to come up with a new term for it--like the term or not. As CSRF didn't fit the requirements for clickjacking, we had to come up with a new term to avoid confusion."

For example, let's say I'm on what appears to be my banking Web site. I then click on a button that brings me to my accounts. The only problem is that button didn't bring me to my accounts; it brought me to a page that looks like my account or it carried out a completely different operation than what I expected.

Robert Hansen gave an interesting example of what's possible with clickjacking:

"Say you have a home wireless router that you had authenticated prior to going to a legitimate Web site. The attacker places a tag under your mouse that frames in a single button that could order the router to, for example, delete all firewall rules. That would give them an advantage in an attack."

The second example is more insidious as attackers wouldn't have to worry about mimicking or compromising legitimate Web sites.

Smile, you're on candid camera
You may have been wondering why I mentioned Adobe earlier. Well, they're in the middle of this vulnerability, too. Exploiting a vulnerable version of Flash Player software with clickjacking could allow the attacker to turn on computer-connected webcams and microphones, actually spying on the user.

This vulnerability is already out in the wild; Flash developer Guy Aharonovsky published a proof-of-concept (PoC) demonstration on his Guya.net Web site. The actual demonstration is currently disabled, but the video depicts how the attack occurs. There are several interesting comments and references to other articles about clickjacking on the Guya Web site as well.

TechRepublic editor Selena Frye's recent article "Flash Player 10 Performing Better on Linux, Mac OS" mentions several reasons why the new release is significant. Flash Player 10 is also significant because of the code Adobe recently added to eliminate the clickjacking vulnerability.

In fact, in the security bulletin "Flash Player Update Available to Address Security Vulnerabilities" released on October 15, 2008, Adobe pointed out the only recourse users have is to update to version 10 of Flash Player. If you want to know what version of Flash Player is installed on your computer and where to download the latest version, you can do so at the Adobe Flash Player Web site.

More Clickjacking details
When Grossman and Hansen initially presented the details of this vulnerability, Adobe asked them to not go public with the exploit until they (Adobe) had a fix. With the release of the PoC on the Guya Web site and almost simultaneous release of Flash Player 10, the researchers finally didn't have any reason not to discuss the details of the vulnerability. You can read about all 12 issues at the ha.ckers.org Web site.

How to eliminate the vulnerability?
The one obvious fix is to update to Flash Player 10 if at all possible. As for Web browsers, it's more difficult. If you're using Firefox, I'd suggest upgrading to version 3 and installing all the latest patches.

You may have heard me mention NoScript before. Giorgio Maone the developer of NoScript has been in contact with Grossman, and both are of the mind that NoScript will in almost all cases prevent clickjacking attacks. The only problem is that NoScript isn't intuitive, and a majority of users will get frustrated with it almost immediately.

As for other browsers Maone published "Clickjacking and Other Browsers (IE, Safari, Chrome, and Opera)" on his Hackademix.net Web site, where he explained what, if anything, can be done to prevent clickjacking attacks while using IE, Safari, Chrome, or Opera.

Final thoughts
It's still early in the discussion stage, so the fallout from clickjacking is hard to predict. Most experts believe clickjacking is a big deal and can only be truly rectified by redesigning the browsers. What I find more alarming is the following quote by Hansen:

"When Jeremiah and I were looking at clickjacking, we found all kinds of random browser bugs, tons of bugs and a mess load of flaws. A lot of them were unrelated to clickjacking. But as other researchers start looking at clickjacking, they'll find their own interesting bugs."

That's not a very comforting thought, but I'm glad they're looking.