Is “Clickjacking” the Next Threat?

sparksspace | Saturday, October 18, 2008 | 0 comments

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

sparks010 Sparks Sparks

The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference.Although the Clickjacking problem has been associated with browsers -- users of Internet Explorer, Firefox, Safari, Opera, Google Chrome and others are all vulnerable to the attack -- the problem is actually much deeper,So, what exactly is Clickjacking?

Clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. You know what happens when a carjacker takes a car? Well, clickjacking is like that, except that the click is the car.

The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.

By taking advantage of any of a growing number of recently discovered vulnerabilities in Microsoft's Internet Explorer, Mozilla's Firefox, Apple's Safari, and all other Web browsers, criminals can hijack your system by intercepting clicks of what appear to be legitimate links.

One of the most important steps that users can take to protect themselves is to enable JavaScript only for approved sites. But disabling JavaScript has serious drawbacks, because so much of the Web's interactivity is driven by JavaScript apps.

For the moment, the best defense against Clickjacking attacks is to use Firefox with the NoScript add-on installed. NoScript, which can be downloaded free of charge, has its drawbacks, though: Unless a user manually enables the switch-off-by-default content, many sites will either be unusable or prohibitively limited.

Another method is  to switch to Lynx, an open-source text-only browser.Clickjacking won't work if you're using Lynx, simply because there's no graphic content that an attacker can grab from it to pull over his own malicious code. But text-only browsing is, well, so last century.

Adobe has issued a patched version that will help keep you safe from Flash-based attacks. See the company's download page.

Also read:How To Stop Firefox Clickjacking Exploit Attack

Category: , , , ,

Welcome to SparksSpace . This blog launched on Dec 2007 with a focus on Technology.You can find latest Computer Software, Tutorials, Tricks,Tips & Software promotions here!

0 comments