10/31/08

H@x - ClickJacking

Recently, "researchers" Robert Hansen and Jeremiah Grossman, unveiled the newest weapon in a Hacker's arsenal- Clickjacking.

Clickjacking is where an attacker can control the links your browser visits. Now as usual, there's an upside and a downside to this attack. The good news is that if you use a script filter, such as the add-on for Firefox called No Script, then there's a good chance you can prevent the attack from being successfully used on you. Now several bits of bad news.

First
, the attack can be used via any browser. Yes, that includes Firefox 3 & Internet Explorer 7. The only known browser exception is lynx.
Second
, the attack can be issued through javascript (like many other viruses), so objects like flash games are perfect bait. Also, Ebay could be used as an attack medium since it allows javascript to be embeded into their website.
Lastly, and potentially most disturbing, is that the attack is not limited to javascript. It is only limited to DHTML. So, in a nutshell, while using javascript would be the "easiest" way for a hacker to attack, it is not the only way.

Gone are the days when you could simply "disable javascript" and not have to worry about and online trouble.

It is also worth mentioning that this is a considered a 0(zero)-day vulnerability. 0-day vulnerabilities are exploits which have no patch; they weren't even discovered (by the "good guys") until recently. This means that there are NO defenses for this attack. As mentioned before, the only quasi-defense is to use a script-diabling program.

For more in-depth examples, Tod Beardsley from BreakingPoint has posted a few proof-of-concept exploits with speculation around clickjacking.

No comments:

Post a Comment

Add to Technorati Favorites