Prominent security researchers Robert “RSnake” Hansen and Jeremiah Grossman may have cancelled their scheduled presentation on “clickjacking” — a newly discovered form of browser vulnerability exploitation — at the OWASP NYC AppSec Conference Sept. 22 to 25, but the two experts have begun sharing some details about the attack technique.
Hansen and Grossman, who frequently present together at ethical hacking conferences including Black Hat, pulled their presentation at the request of Adobe, Microsoft and other vendors that would have been immediately impacted by the release of technical details or proof of concept code.
However, they have both authored blogs on clickjacking that give us some idea of what the process entails.
“The premise of clickjacking is that we know a lot about what JavaScript malware is capable of once a user comes in contact with an attacker-controlled Web page (or a page with their code on it) such as history stealing, intranet hacking, phishing with superbait, Web worms, browser exploit, and so on, but comparably little about what can be done with a captured click,” wrote Grossman, who is CTO of WhiteHat Security.
“Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable,” Grossman said. “With clickjacking attackers can do quite a lot. Some things that could be pretty spooky. Things also performed, with a fair amount of ingenuity, quite easily.”
Essentially, if hackers using a clickjacking attack tricked you into visiting one of their URLs, they could take control of your browser and begin secretly forcing the client to click on any links they desired. Scary stuff indeed!
Grossman and Hansen have developed usable PoC code, but decided not to release it because it could lead to related attacks as every major browser (Internet Explorer, Safari, Firefox, etc.) is apparently vulnerable to these types of exploits and they didn’t want to endanger users.
One of the PoCs involved an Adobe product, and the company asked for more time to address related vulnerabilities in its products so as to avoid a zero-day scenario, the experts reported.
Grossman maintains that clickjacking is “a well-known issue, but severely underappreciated and largely undefended” among browser and applications vendors.
“The related issues we found that affect Web sites (instead of browsers) is thankfully slightly easier to deal with on a one-off basis, but that too is going to be a problem,” said Hansen, CEO of SecTheory. “There are a lot of much easier hacks out there against Web sites for sure, but what we’ve been working on breaks some previously good security measures.”
Hansen and Grossman both maintain that rather than trying to fix every Web site that might be vulnerable to clickjacking, and apparently most of them are, it makes more sense for the problem to be addressed by browser makers.
“The idea of every Webmaster in the world patching their own sites is a nonstarter,” Hansen said. “Although I’m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere. We’ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment.”
Welcome to the clickjacking era.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.