Clickjacking…

Two researchers, Robert Hansen and Jeremiah Grossman were planning to present their research on Clickjacking @ OWASP , New York City but had to postpone their presentation because they figured out that the exploitation of this vulnerability can be worst. Affected Vendors requested them to postpone their disclosure so that they can fix it. Most of the times the vulnerability needs to be fixed by web application but this time browser owners have taken up the task of fixing the vulnerability. Microsoft, Adobe are few of those affected.

Well these attacks are sort of tedious and require precision as compared to other powerful attacks like CSRF, SQLi etc. Attacker needs to know the exact layout of page that victim would possibly be viewing. A small here-and-there can foil the whole attack. These attacks can be done on those pages whose button positions remain static. CSRF token solution will not work here.

However this attacks require user to be logged in. So a piece of advice:

  1. Never browse critical pages (like net-banking or e-mail sites) while you are browsing other untrusted (or even trusted pages). I would recommend that if it requires to open the link simultaneously then copy the link and open it up in new browser window totally. Say if you are browsing gmail using Firefox, open any required link on IE. This could prevent the attack
  2. Never allow your browsers to save passwords for those critical sites else first point will fail.
  3. Never trust any link  even if it shows it is pointing to any trusted site:)

When the details of the exploits are not disclosed, a researcher Tod Beardsley claims to have discovered the vulnerability simultaneously. He has disclosed the same here. Till then let wait with fingers crossed for browser to fix these issues quickly and I will be waiting for the duo to disclose the vulnerability,

Similar Posts you might be interested in:

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • LinkedIn
  • MySpace

categories Web Application Security | w0lf | October 6, 2008

categories ,

5 Responses to “Clickjacking…”

  1. Ne0 says:
    October 7, 2008 at 12:47 pm

    Nice informative post w0lf … But this attack requires too much of precision. Would launching such an attack be feasible ?

  2. w0lf says:
    October 7, 2008 at 1:11 pm

    Well if this attack can be used to generate good revenue then it can used. Well I can see a good point of using this attack, say , I may use this attack by social engineering visitors to click on some link saying get free T-shirts for early-birds – Click Here and beneath that button there will be the page containing link (on same x-y dimensions) to generate revenue like adsense etc. This is a feasible thing. Well there are people out there who can invest good amount of time to create a clickjacking attack page and transfer a bulk amount from victims bank account to their account which will be more than worth of their hard work ;)

  3. Ne0 says:
    October 7, 2008 at 2:39 pm

    Hmm… Smart !! very smart… nice reward if you get through !!!

  4. w0lf says:
    October 7, 2008 at 3:16 pm

    Yes..nice reward. But my lazy bones do not permit me from doing so. :P

  5. Clickjacking for spying? | Maestro Security Blogs says:
    October 9, 2008 at 1:16 am

    [...] we discussed an overview about click-jacking previously. This time on same lines, a researcher has given a PoC about how can clickjacking be used to hack [...]

Leave a Reply