- 1.866.352.6691 | INTL 1.512.821.6000
Clickjacking Aftermath
To get new readers up to speed: In the middle of September, researchers Rsnake and Jeremiah Grossman were planning on a talk at OWASP regarding a purportedly new web attack dubbed "Clickjacking." At the request of Adobe, they withheld proof of concept code and salient details until a patch was available to help mitigate Clickjacking's effects. Within two weeks or so, Adobe did, in fact, release APSA08-08 for Flash. With that coast clear, Rsnake published his and Grossman's paper here, which lays out the gory details. No problem, since Adobe's patched now, right?
Hmm, not so much. Clickjacking -- the technique of incorporating obscured, invisible, or otherwise counter-intuitive links from external sources via iframes in order to trick users into clicking them -- affects much, much more than merely resetting Flash permissions. It's essentially a means by which malicious web site operators and web content authors can subvert the Same Origin Policy of web browser to get victims to perform actions on the attacker's behalf.
Firefox users can take some solace in Giorgio Maone's addition of ClearClick to his most excellent NoScript extension, however everyone else (which should be taken as, "pretty much everyone") needs to rely on their favorite sites taking their own countermeasures via frame busting, secondary authentication, or other mechanisms to avoid being driven via malicious iframes.
With this in mind, I decided to take a quick peek at Alexa's top ten web sites to see how they handled being an iframe source. The (completely harmless) test page is below if you'd like to see my tests and notes for yourself.
http://www.planb-security.net/notclickjacking/iframe_madness.html
The short story: Of the most trafficked web sites in the world, sensitive personal information editing functions can be trivially incorporated in an attacker's iframe. These results didn't come as a complete surprise, of course. However, I was kind of hoping these hugely popular site operators might have implemented something in the month and a half since Clickjacking made the news. I guess we'll just have to wait for the (inevitable) series of wildly successful, high-profile clickjacking-enabled attacks before the Googles, Yahoos, and Facebooks of the world take on the threat on their own properties.
Google+
Tags: