October 16, 2008

Beware, Many Browsers are Vulnerable to "Clickjacking"

Here's a truly disturbing thought: "Submit" buttons (and other buttons, such as "Print", "Next Page", etc.) are very common in web pages. That "Submit" button you think you're clicking on in your web browser could be redirected to to another web site or perform just about any other type of action. This is known as "clickjacking", where the attacking web site steals your mouse clicks. What's worse, all of the popular web browsers are being reported as vulnerable: IE, Firefox, Safari, and others. Ouch.

The problem is, clickjacking takes many forms. Some require javascript, and some don't. Some of the vulnerabilities show up in other web-related add-ons, such as Adobe Flash and Microsoft's Silverlight. One important way to help stop at least some of the clickjacking attempts is to disable javascript in your browser. The huge downside is that because javascript is present on so many sites today, disabling it just cripples your web experience, and possibly a number of web apps. So instead of disabling javascript for all sites, it's better to enable JavaScript only for approved sites. The same goes for ActiveX, which has long been a security challenge. But again, that's a lot of sites for most of us, so it pretty much stinks either way you look at it for a supposed "quick fix".

Per Stuart Johnston's column in Windows Secrets, here's how clickjacking works:

In clickjacking, surreptitious buttons are "floated" behind the actual buttons that you see on a Web site. When you click the button, you're not triggering the function that you expected. Instead, the click is routed to the bad guy's substitute link.

Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, chief technology officer of WhiteHat Security, are the bug sleuths who discovered this latest generation of potential security glitches.

They point out that even users who watch their systems like a hawk can be victimized.

"There's really no way to know if what you're looking at is real," Hansen told Windows Secrets.

In fact, Hansen and Grossman found so many new ways to attack your PC - and your Mac - that they categorize these threats as a "new class" of exploits. While this class includes scripting attacks, it also affects scriptable plug-ins such as Microsoft ActiveX controls, Skoudis said.

Clickjacking isn't new. In fact, it dates back to at least 2002, Hansen said. What's new is the range of browser vulnerabilities that make clickjacking possible.

You can also read Robert Hansen's blog posting, "Clickjacking Details", which describes it in much more technical detail. It also lists specific types of clickjacking exploits, and each of their statuses in terms of whether they are still unresolved, have been resolved, or will be fixed in a future version of the software mentioned.

Probably the best advice to take away from this is to be careful which web neighborhoods you're visiting, just like in the real world. Mainstream companies usually don't want the bad press and customer reactions, so it's more likely going to be the fringe sites that would implement these security exploits.

The trick with many exploits is that they somehow have to get you to go there. So don't click on web site links contained in your incoming e-mail, unless you're absolutely sure they are legitimate (which can also be somewhat difficult to tell these days). I can see where a lot of phishing e-mail scams would send you an official-looking e-mail with a link to an official-looking but totally fake web site, which would then either steal your personal data or employ clickjacking or other tactics to accomplish their nefarious goals.

Topic(s):   Privacy & Security
Posted by Jeff Beard