, SecurityFocus 2008-09-30
Story continued from Page 1
While the issue is serious, a number of considerations could make a practical attack difficult. The attacker has to know where the button is on a page and, thus, the attack requires a staging to get right, said Hansen, an independent security consultant. In addition, the attacker must be able to access the Web page in the same way as the victim. Finally, with each additional click required by a Web page to complete an action, the attack become harder.
"If I was a bad guy and I just wanted to screw some people over, clickjacking would not be my attack of choice," Hansen said. "There are so much easier exploits out there -- in terms of the amount of staging you have to do ahead of time -- that an attacker could use."
That's good, because solving the clickjacking problem will not be easy. In an e-mail to a mailing list run by the Web Hypertext Application Technology (WHAT) working group, browser expert Michal Zalewski described five potential fixes that fall into two broad categories. Opt-in solutions would require each Web site to fix the issue, but -- while simpler -- many Web sites would fail to implement changes. Opt-out solutions would rely on modifying the behavior of IFRAMEs to make clickjacking attacks more difficult.
Currently, Microsoft and Mozilla are investigating the issue, according to statements sent to SecurityFocus.
"No one knows what the best solution will be or when it will come," WhiteHat's Grossman said. "(It) could possibly require an architectural change."
If you have tips or insights on this topic, please contact SecurityFocus.