Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: phranque
Internet and Web browser security experts are sounding the alarm about a new type of malicious attack called "clickjacking," a technique that can be used to dupe Web surfers into revealing confidential information while clicking on seemingly innocuous Web pages. Among other things, a clickjacking attack can be used to take control of a computer's Webcam and microphone without the knowledge of the user.
Web Surfers Face Dangerous New Threat: 'Clickjacking'
2008-10-08 - [news.yahoo.com...]
Opera has the ability to set permissions on a site-by-site basis. I've been a big fan of this feature. I have my commonly used sites setup with the permissions they need. Otherwise all scripting is off by default. It can take longer to surf some new sites, but it's a lot safer.
Firefox has the NoScript add-on. I really wish they had this functionality in Opera. NoScript is the first thing I add to an FF install. I turn off access to everything except for trusted sites.
IE is something I only use to check my sites for compatibility. I've got the general Internet zone set to High. I manually add all my sites to the Trusted zone. This really kills IE's functionality on most sites, but I don't surf with this browser regularly.
Safari no longer runs free on my machines. Too many issues. I run it in a virtual PC environment only.
Chrome was fun to surf with for a few days, but the security issues are too many. That's heading to the virtual PC with Safari for the time-being.
I cannot fathom how it possibly works. I hope the hackers have just as hard of a time.
One thing that might help is FlashBlock (for firefox) [addons.mozilla.org] which stops all flash except the scripts you press the "play button" on.
[edited by: amznVibe at 12:45 pm (utc) on Oct. 9, 2008]
There is no workaround (and thankfully no proof-of-concept) and noscript does not stop it from happening
As far as I'm aware none of these is true - there are clickjacking examples, and also mechanisms that should detect when it has occurred (in most cases). Noscript includes some protection enabled by default in current versions.
gee bill thats hard core tin hat stuff.
That's exactly what I do except I add the following:
1) Hostman to add thousands of virus, malware, advertising sites to my hosts file.
2) Avast anti-virus
3) Adblock Plus
More on NoScript and Clickjacking prevention:
We do this company wide and NEVER have to deal with compromised computers.
Do you remember when the internet or WWW was not such a trusted place to shop or give any credit card info, etc. online? Over the past several years the web has become a much more consumer trusted place to browse, shop etc.............Right?
As this story of the virtually unstoppable "clicktracking" hits the bigger mainstream media;
what will this do for consumer confidence in shopping on the web?
I send up the signal flare first. This is a HUGE issue which must be addressed by everyone and anyone capable.
Excerpt from the Yahooo News Article:
Maone agreed. "This problem comes from features which are integral to the modern Web as we know it," he said, "and especially from the ability of Web pages to embed arbitrary content from different sites, or to host little applications (applets) through plug-ins like Adobe Flash, Java or Microsoft Silverlight."
Maone predicted that a general browser fix won't be developed any time soon, since the real solution lies in developing a general consensus about changing existing Web standards in the various Internet standardization groups.
OK, I dug it up from my history. Since WW is usually against links, I haven't posted one in years, but this clickjacking is pretty serious so I'm going to post these links because I think it's appropriate but if the mods have a problem, feel free to yank, I understand...
The fella who said it's mostly ok:
(I think he invented one of those image replacement techniques)
the testing site (if you have to remove only one link, this is the one to keep):
(Click check my dns)
[edited by: jdMorgan at 2:50 pm (utc) on Oct. 9, 2008]
So again, this trick is way beyond me. Curious to know what it is but hope it doesn't become well known.
This technique has been used for years. Putting an overlay over a page to intercept clicks has been done before.
Important to know before anyone panics - it's difficult to pull off:
From an attacker’s perspective the most important thing is that
a) they know where to click
b) they know the URL of the page they want you to click, in the case of cross domain access.
So if either one of these two requirements aren’t met, the attack falls down.
Frame busting code is the best defense...
So be sure to add frame busting code to all your onloads.
if (window!=top) top.location.href=location.href;
[edited by: amznVibe at 4:58 pm (utc) on Oct. 9, 2008]
1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: [adobe.com...]
2. Select the "Always deny" button.
3. Select ‘Confirm’ in the resulting dialog.
4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings...
Stupid question: isn't there some way to simply deny access from the machine itself? I don't remember Windows, but it's pretty easy to turn off the camera, mic, etc. in Leopard... Wouldn't that be enough?
Yes. (so, not so stupid!)
If your microphone has a shutoff switch, turn it off.
Same for webcam (although I haven't got one of those, so don't know how they work). But you should at least be able to disconnect it when not in use.
They can't misuse hardware that is physically disconnected.
It's also a good idea to set your Flash security settings on the page posted by tedster, or better yet disable Flash in Manage Add-ons (IE7) or just don't install it at all or use FlashBlock (FireFox).
[edited by: SteveWh at 6:56 pm (utc) on Oct. 13, 2008]