Recently I was reading about various vulnerability in web world and found this buzzword "Clickjacking". The founders Jeremiah Grossman and Robert "RSnake" Hansen planned to demonstrate this serious vulnerability involving all major browsers during a presentation scheduled for OWASP's AppSec 2008 Conferencein New York. But they cancelled that as Adobe requested them to to postpone it. One of Adobe's software is also vulnerable to the same and they want more time to fix it.
According to RSnake:
"Alas, it turns out that some of the issues we found weren’t just a little bad - they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof - we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And we’ve only worked with a few vendors. So… yah. It’s pretty bad."
It sounds pretty bad.
"Also Jeremiah started off with a brief introduction on what clickjacking is. In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening. “A normal user wouldn’t have any idea of what is going on. People in this audience may see something a little different from what they would expect and you would definitely see the results in the page’s source code.” Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait" (courtesy Web Admin Blog.).
Also there is a mail to OWASP community from RSnake regarding the kid of impact it might have:
"As the OWASP event organizer, this critical issue does deserve your attention. I am sure if your browser, video and microphone was taken over by someone who wanted to conduct surveillance, industrial espionage or hack your system and use the vulnerability against you and millions of users you would want to fully understand the threat. Well this is in fact the situation described below and I believe that a information security conference with industry peers from around the world IS the place to discuss/debate topics such as these and they should NOT be suppressed by anyone." (courtesy ZTrek)
The conference video:
According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment. Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected. In the meantime, the only fix is to disable browser scripting and plugins.
More details and FAQ has been covered here (Must Read).
Saturday, January 10, 2009
Subscribe to:
Posts (Atom)
