Everyday we click on some kind of button in our Web browsers.
It could be a simple "Yes" button to agree to something or a "submit" button for your password. But do you know what you're actually clicking? If you're not careful, you could become a victim of a clickjacking attack.
"This vulnerability lets an attacker transparently collect user clicks and that enables them to force the user to do all sort of things from adjusting user settings to unwittingly visiting Web sites that might have malicious code," Jeff Moss, founder of Black Hat stated during an live Webinar on Thursday.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i"It's sort of like the DNS cache vulnerability that [security researcher Dan] Kaminsky found where at first you think you understand all the implications, but the more you think about it the greater the problem becomes, sort of this daunting realization that things are screwed."
Whitehat security founder Jeremiah Grossman gets the credit for reporting the clickjacking security issues to Adobe earlier this year. That led to an update for its Adobe Flash product. Grossman said latest Flash 10 player does a good job of protecting against clickjacking.
But browsers still have holes that leave users vulnerable. Clickjacking can happen via malicious IFRAMEs, (define), which are frame areas drawing content from another source. Simply removing IFRAMEs, however, isn't necessarily the right fix.
"Shutting off IFRAME gets rid of some of the issues, but also breaks the whole revenue model of the web as it turns off some advertising," Jeremiah Grossman, founder of Whitehat Security said. "I don't think that will be a default feature in any Web browser any time soon."
Eric Lawrence, security program manager on Microsoft's Internet Explorer team, echoed Grossman's sentiment about the issue. Lawrence, who also participated in the live Black Hat Webinar, noted that IFRAMEs are critical for many mashup scenarios as well as some forms of Web advertising. Still, Lawrence added, focusing on IFRAME is important because if IFRAMEs can be better isolated than the risk from clickjacking can be mitigated.
"The clickjacking attack is a super interesting attack because it is one of the hardest things for a browser to address," Lawrence said. "Because it is essentially the browser working in the way it was designed and intended; there is a side effect that has a security impact that we now have to find a way to mitigate against. This is one of a few things ... putting the browser vendors on the defensive where we have to find a way to not break the web while at the same time mitigating the vulnerability."
Grossman noted that regular FRAMEs (define) could also potentially be used for clickjacking as well. Both FRAME and IFRAME are part of the HTML standards that are part of all Web browsers.
Though the problem affects end users of Web sites, at the root of the clickjacking attacks are Websites themselves, which are often attacked so that the exploit code that can hit browser can be deployed.
This is why Grossman and Lawrence stressed proper Website server security. Microsoft's next browser, IE 8, will include technology that will let different browser tabs run different processes, Lawrence said. The idea is that processes don't jump tabs which could potentially mitigate risk. A similar approach is used by Google's Chrome browser as well.