homepage Welcome to WebmasterWorld Guest from 54.196.195.207
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Web Surfers Face Dangerous New Threat: 'Clickjacking'
pageoneresults




msg:3761822
 5:41 am on Oct 9, 2008 (gmt 0)

Internet and Web browser security experts are sounding the alarm about a new type of malicious attack called "clickjacking," a technique that can be used to dupe Web surfers into revealing confidential information while clicking on seemingly innocuous Web pages. Among other things, a clickjacking attack can be used to take control of a computer's Webcam and microphone without the knowledge of the user.

Web Surfers Face Dangerous New Threat: 'Clickjacking'
2008-10-08 - [news.yahoo.com...]

 

bill




msg:3761873
 7:59 am on Oct 9, 2008 (gmt 0)

Sounds spooky, but what can you do?

Opera has the ability to set permissions on a site-by-site basis. I've been a big fan of this feature. I have my commonly used sites setup with the permissions they need. Otherwise all scripting is off by default. It can take longer to surf some new sites, but it's a lot safer.

Firefox has the NoScript add-on. I really wish they had this functionality in Opera. NoScript is the first thing I add to an FF install. I turn off access to everything except for trusted sites.

IE is something I only use to check my sites for compatibility. I've got the general Internet zone set to High. I manually add all my sites to the Trusted zone. This really kills IE's functionality on most sites, but I don't surf with this browser regularly.

Safari no longer runs free on my machines. Too many issues. I run it in a virtual PC environment only.

Chrome was fun to surf with for a few days, but the security issues are too many. That's heading to the virtual PC with Safari for the time-being.

Pass the Dutchie




msg:3761890
 8:50 am on Oct 9, 2008 (gmt 0)

gee bill thats hard core tin hat stuff.

amznVibe




msg:3762004
 12:40 pm on Oct 9, 2008 (gmt 0)

This was announced a few weeks ago, and the mainstream press has finally caught it for a second round on the internet.

[news.google.com...]

There is no workaround (and thankfully no proof-of-concept) and noscript does not stop it from happening. It works without javascript.

I cannot fathom how it possibly works. I hope the hackers have just as hard of a time.

One thing that might help is FlashBlock (for firefox) [addons.mozilla.org] which stops all flash except the scripts you press the "play button" on.

[edited by: amznVibe at 12:45 pm (utc) on Oct. 9, 2008]

Receptional Andy




msg:3762008
 12:46 pm on Oct 9, 2008 (gmt 0)

There is no workaround (and thankfully no proof-of-concept) and noscript does not stop it from happening

As far as I'm aware none of these is true - there are clickjacking examples, and also mechanisms that should detect when it has occurred (in most cases). Noscript includes some protection enabled by default in current versions.

The non-javascript version thus far relies on form submissions that occur when users click on things that they don't believe will actually submit a form.

frontpage




msg:3762049
 1:56 pm on Oct 9, 2008 (gmt 0)

gee bill thats hard core tin hat stuff.

That's exactly what I do except I add the following:

1) Hostman to add thousands of virus, malware, advertising sites to my hosts file.
2) Avast anti-virus
3) Adblock Plus

More on NoScript and Clickjacking prevention:
[hackademix.net...]

We do this company wide and NEVER have to deal with compromised computers.

Propools




msg:3762051
 2:04 pm on Oct 9, 2008 (gmt 0)

In reading this post and the Yahoo News article, Red Flags started going off everywhere. Why?

Do you remember when the internet or WWW was not such a trusted place to shop or give any credit card info, etc. online? Over the past several years the web has become a much more consumer trusted place to browse, shop etc.............Right?

As this story of the virtually unstoppable "clicktracking" hits the bigger mainstream media;
what will this do for consumer confidence in shopping on the web?

I send up the signal flare first. This is a HUGE issue which must be addressed by everyone and anyone capable.

Excerpt from the Yahooo News Article:
Maone agreed. "This problem comes from features which are integral to the modern Web as we know it," he said, "and especially from the ability of Web pages to embed arbitrary content from different sites, or to host little applications (applets) through plug-ins like Adobe Flash, Java or Microsoft Silverlight."

Maone predicted that a general browser fix won't be developed any time soon, since the real solution lies in developing a general consensus about changing existing Web standards in the various Internet standardization groups.


Clark




msg:3762071
 2:18 pm on Oct 9, 2008 (gmt 0)

I read the vulnerability has been patched in general, there was a site that tested if your provider patched it (mine did)...only the iphone has no patch. Or something like that.

OK, I dug it up from my history. Since WW is usually against links, I haven't posted one in years, but this clickjacking is pretty serious so I'm going to post these links because I think it's appropriate but if the mods have a problem, feel free to yank, I understand...

The fella who said it's mostly ok:
[mezzoblue.com...]
(I think he invented one of those image replacement techniques)

the testing site (if you have to remove only one link, this is the one to keep):
[doxpara.com...]
(Click check my dns)

jdMorgan




msg:3762089
 2:28 pm on Oct 9, 2008 (gmt 0)

Clark,

This is not the previously-reported DNS hijacking exploit that you've read about -- That problem is the one that is addressed at the ISP/DNS provider level. The current problem is a hover-based issue having to do with JavaScript, CSS overlays, or iFrames.

Jim

[edited by: jdMorgan at 2:50 pm (utc) on Oct. 9, 2008]

Propools




msg:3762097
 2:42 pm on Oct 9, 2008 (gmt 0)

And since this is still yet, so undetectable, I wonder if search will start penalizing sites which use
JavaScript CSS overlays, or iFrames
because of the anonymous nature of the code?
Clark




msg:3762100
 2:46 pm on Oct 9, 2008 (gmt 0)

Oh.

Hmm, I definitely read about clickjacking but obviously I confused who wrote about it. Another search of my history did not turn up the other fella Sorry Jim.

amznVibe




msg:3762207
 4:35 pm on Oct 9, 2008 (gmt 0)

By the way, if this is true, this means that apps could click your google adsense links and make it seem like you clicked them, getting Google to ban you.

It's easy in javascript to replace/follow a link but impossible if your frame doesn't own the page. All modern browsers block changes from frames with one domain affecting a page with a different domain.

So again, this trick is way beyond me. Curious to know what it is but hope it doesn't become well known.

amznVibe




msg:3762215
 4:42 pm on Oct 9, 2008 (gmt 0)

Oh wait, I just found the site that explains it all (kind of obvious, it's the keyword.com)

This technique has been used for years. Putting an overlay over a page to intercept clicks has been done before.

Important to know before anyone panics - it's difficult to pull off:
From an attacker’s perspective the most important thing is that

a) they know where to click
b) they know the URL of the page they want you to click, in the case of cross domain access.

So if either one of these two requirements aren’t met, the attack falls down.

Frame busting code is the best defense...

So be sure to add frame busting code to all your onloads.
You can add a snippet of code to make this happen on all your pages if you use a header template or common external javascript file. Something like:
if (window!=top) top.location.href=location.href;

[edited by: amznVibe at 4:58 pm (utc) on Oct. 9, 2008]

shamgar




msg:3762274
 5:33 pm on Oct 9, 2008 (gmt 0)

well, I don't have a webcam or a mic so yah yah.

tedster




msg:3762297
 6:02 pm on Oct 9, 2008 (gmt 0)

Adobe has released some advice for the Flash-based type of clickjacking - with a complete patch promised by the end of October.

1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: [adobe.com...]

2. Select the "Always deny" button.

3. Select ‘Confirm’ in the resulting dialog.

4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings...

[adobe.com...]


rise2it




msg:3762585
 2:01 am on Oct 10, 2008 (gmt 0)

Thanks...picked up some great tips from you guys...

Propools




msg:3762951
 2:39 pm on Oct 10, 2008 (gmt 0)

Tedster.....................You Da Man!. Thanks for the information update.

notsosmart




msg:3763189
 7:10 pm on Oct 10, 2008 (gmt 0)

Stupid question: isn't there some way to simply deny access from the machine itself?

I don't remember Windows, but it's pretty easy to turn off the camera, mic, etc. in Leopard...

Wouldn't that be enough?

Before you rake me over the coals for my lack of knowledge, please note my handle. ;-)

CWebguy




msg:3764706
 5:21 pm on Oct 13, 2008 (gmt 0)

I use the philosophy, if you don't want to get your car jacked...then don't drive through Harlem at two o'clock in the morning :) Works for the web too ;) And if he offers you something free, question his motives :)

SteveWh




msg:3764776
 6:53 pm on Oct 13, 2008 (gmt 0)

Stupid question: isn't there some way to simply deny access from the machine itself? I don't remember Windows, but it's pretty easy to turn off the camera, mic, etc. in Leopard... Wouldn't that be enough?

Yes. (so, not so stupid!)
If your microphone has a shutoff switch, turn it off.
Same for webcam (although I haven't got one of those, so don't know how they work). But you should at least be able to disconnect it when not in use.

They can't misuse hardware that is physically disconnected.

-----

With regard to the other issues, there are many JavaScript exploits. In IE7, setting the Internet Zone level to High turns JS off. In FF, you can turn it off manually or using the NoScript add-on which emulates the IE7 functionality. It is safest to visit all unfamiliar sites with JS Off.

It's also a good idea to set your Flash security settings on the page posted by tedster, or better yet disable Flash in Manage Add-ons (IE7) or just don't install it at all or use FlashBlock (FireFox).

[edited by: SteveWh at 6:56 pm (utc) on Oct. 13, 2008]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved