Perhaps everyone concerned about online security has heard of clickjacking. This cyberbuzzword was disclosed in the last week of September and remains hot until now. Experts are quite forceful in harping about how scary this new form of cyberjacking is while a lot of us are perhaps still lost—if not confused or complacent—as to what it can really do, why one should be aware of clickjacking, and what we can do to protect ourselves.
Clickjacking, simply put, is stealing mouse cursor clicks from users. In this type of attack, the malicious user can take control of the links that a user can connect to while he/she is in a malicious domain.
For example, a hacker sets up Site A. Site A is actually a cover for certain parts of Site B (a legitimate site the user is a member of). Interaction with Site A is set up such that users clicking any button on Site A is actually clicking, say, “Delete All Files” in Site B. The user, of course, does not know this.
In a more critical example, which suggests how these attacks can remain persistent once initiated, the Flash Security Settings Manager can also be modified to turn off security settings in Flash. (And these are just two versions of several others).
Regarding clickjacking, there are three significant points that should be considered:
- Clickjacking techniques are used with little or no leniency since clickjacks can take control of how users navigate within the page by, say, making all links in certain a Web page bogus. Consequently, users are allowed to click any link they feel lured to but the clickjacks still end up directing them where hackers want them to.
- Clickjacks can use any form of link (image link in the form of buttons or text link) to pull users to click them. The sad part is that no user will even know that he/she is already within a hijacked page. Only Web security/reputation services can block the bad pages.
- Lastly and perhaps the most diabolic is that clickjacking techniques have made the exploit adaptable in certain situations.
For example, in case a user’s browser has been set to block out JavaScript execution, other methods take in place such as using iframes to harvest user’s click actions.
Security researcher and WhiteHat CTO Jeremiah Grossman, one of the discoverers of this exploit, stated that:
Everyone, including browser vendors, Adobe (plus other plug-in vendors), website owners (framebusting code), and Web users (NoScript) all need their own solutions to assist in case the other don’t do enough or anything at all.
Robert “Rsnake” Hansen, the co-revealer of clickjacking also recommends that users set their browsers’ configuration to “Plugins|Forbid IFRAME” and to install the NoScript widget as a good defense combination against clickjacking attacks. NoScript—a Firefox add-on introduces the feature called ClearClick—which prevents the interaction from completing and reveals the real destination whenever a user clicks his/her mouse or types on his/her keyboard with a hidden element.
At that point, the user can evaluate if the click target was actually the intended one and decide to keep it locked or to unlock it for free interaction.
IMPORTANT: Adobe issued a workaround for this critical security issue. The solution can be found on Adobe’s Security Advisories page.
