Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Researchers weigh "clickjacking" threat
Robert Lemos, SecurityFocus 2008-09-30

Story continued from Page 1

While the issue is serious, a number of considerations could make a practical attack difficult. The attacker has to know where the button is on a page and, thus, the attack requires a staging to get right, said Hansen, an independent security consultant. In addition, the attacker must be able to access the Web page in the same way as the victim. Finally, with each additional click required by a Web page to complete an action, the attack become harder.

"If I was a bad guy and I just wanted to screw some people over, clickjacking would not be my attack of choice," Hansen said. "There are so much easier exploits out there -- in terms of the amount of staging you have to do ahead of time -- that an attacker could use."

That's good, because solving the clickjacking problem will not be easy. In an e-mail to a mailing list run by the Web Hypertext Application Technology (WHAT) working group, browser expert Michal Zalewski described five potential fixes that fall into two broad categories. Opt-in solutions would require each Web site to fix the issue, but -- while simpler -- many Web sites would fail to implement changes. Opt-out solutions would rely on modifying the behavior of IFRAMEs to make clickjacking attacks more difficult.

Using a browser plug-in to block Javascript, such as NoScript for the Firefox browser, can protect against the most serious forms of the attack, said Giorgio Maone, CEO of Italy-based InformAction, the maker of NoScript.

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer," Maone said in an e-mail interview with SecurityFocus. "However, we can think of less effective (or) practical, but still feasible, scriptless scenarios."

However, Zalewski warned, blocking Javascript can also break a potential workaround for the issue that Web developers could deploy.

Currently, Microsoft and Mozilla are investigating the issue, according to statements sent to SecurityFocus.

"No one knows what the best solution will be or when it will come," WhiteHat's Grossman said. "(It) could possibly require an architectural change."

If you have tips or insights on this topic, please contact SecurityFocus.

    Digg this story   Add to del.icio.us   (page 2 of 2 ) previous 
Comments Mode:
Researchers weigh "clickjacking" threat 2008-10-01
Anonymous (1 replies)


Privacy Statement
Copyright 2010, SecurityFocus