The Clickjacking Attack

Clickjacking is a well-known issue, but severely underappreciated and largely undefended, and we hope to begin changing that perception. Clickjacking is a vulnerability that’s widespread across every major web browser and Adobe Flash player. One recently-revealed problem that can arise from clickjacking, for example, is that a hacker can remotely activate someone’s web camera and microphone without their knowledge via the Adobe Flash vulnerability. Clickjacking is a well-known issue and isn’t really anything new. The decision to do a presentation came about because Robert Hansen founder and CEO of SecTheory LLC and Jeremiah Grossman the chief technology officer at WhiteHat Security Inc, felt clickjacking was severely under appreciated and largely undefended.

Clickjacking is a malicious software form that can seemingly take control of the links that an Internet browser displays for various Web pages. Once that takes place, and once a user tries to lick on that link, the user is taken to a site that is unintended. Clickjacking is also possible on the desktop as well. Clickjacking is certainly not a Web-related only problem. Clickjacking is the scram script kiddies everywhere will be running on their websites in the hope of duping innocent web surfers into revealing confidential information while clicking on seemingly innocuous pages. According to Yahoo news, it was almost impossible to spot clickjacking attempts because there are so many ways it might be implemented.

Clickjacking is very difficult to eliminate, although we can reduce its risk under certain circumstances. Because it doesn’t even rely on JavaScript and works with CSS/DHTML, it will take a lot of time, effort, and thought to eliminate. Popular Firefox addon, has been updated to face this “clickjacking” attack. The latest version of NoScript, a free extension from Mozilla, now boasts something that Italian developer and security researcher Giorgio Maone calls “ClearClick” to protect users from clickjacking attacks.

Clickjacking takes place on a web page that has been compromised where an iFrame is placed over the real content of a given web page. The real page may remain hidden while the iFrame is a faux layout that may have clickable buttons or components but in reality the hidden page is registering the actual click. Clickjackers hide what they want the victim to click by making it look like a webpage or application. You can get applications that can uncover the button or application that you are realy clicking so that you can know what not to click. Clickjacking is hard to defend against because it encompasses a very wide range of attack methods and further affects a multitude of software applications. These include plug-ins such as Adobe Flash, while clickjacking can take advantage of the very way that most major Web browsers are build.

Grossman points out that “at this time just about everyone out there using the latest versions of Internet Explorer (including version 8 ) and Firefox 3 is affected. Grossman commented on the Adobe yet to be released patches noting that “we have no ETA on Adobe fixes, but we’re hopeful that it’ll be weeks and not months. Whether or not they ‘patch,’ it will not change the content of my keynote speech,” and also added that “our belief is clickjacking as an issue is not a problem in their software, but with browsers in general.