Friday, 31 October 2008

Beware, clickjackers on the prowl

If you thought your computer is attack-proof merely because you had a fully-updated and licenced antivirus software, it is time to worry. A new browser vulnerability, Clickjacking, has come to light and has caused enough anxiety among the security researchers.

The worrying news is that none of the popular browsers, including the newly launched Google Chrome, besides Internet Explorer, Firefox, Safari and Opera are free from this exploit, according to reports.

The vulnerability can also be exploited through Flash plug-ins used by almost all the browsers to run video and video-based applications, and many shortcut buttons in the toolbars. The only browser which is reported to be immune to this attack is the lesser-known Lynx which incidentally is a text-only browser.

Are you sure you're safe?
Clickjacking enables an attacker to force a user click on an invisible link, obviously without his knowledge or consent. Once a user clicks the link unknowingly, the hacker takes over the control.

So while you might think you are clicking on your bank funds transfer link, or saving a favourite URL link at Digg, or some innocuous Facebook application, the reality could be entirely different, and dark.

An attack can invisibly hover these virtual buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something else the attacker wants them to, warned security experts who reported the vulnerability.

Flaw is serious, warns US

The exploit was discovered by two researchers -- Robert Hansen and Jeremiah Grossman -- who disclosed it at a security conference last week after having alerted the concerned browser owner companies. Jeremiah Grossman is the founder and CTO of WhiteHat Security while Robert Hansen is the founder and CEO of SecTheory.

Following this, the United States CERT deemed it serious enough to release a warning. "Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if users click on a Web page, they may actually be clicking on content from another page," warned the US CERT.

Turning off JavaScript won't help

What is worse is that attackers need not compromise on a legitimate site only to launch an attack. In other words, this means the attacker can invisibly hover over the links or buttons on just about any website, according to Hansen.

The two researchers claimed that even turning JavaScript off will not prevent the attack. In fact, it will take advantage of the "fundamental flaw" inherent in all browsers, said the two researchers.

Using a frame buster script will protect a user who uses cross-domain scripting. However, even that will not prevent the attack if it's on a site the user is visiting.

There is no defence
In fact, they have reported the vulnerability to be so widespread that almost everyone could be affected by it as attackers can potentially get the users to click a button (thus the name clickjacking) whereas they may not be able to get them to click a button in JavaScript.

Since there is no viable foolproof defence against clickjacking at this time, the users have been advised to use browsers with the NoScript add-on installed, wherever possible. While this is not the solution, they said it will work in almost all such cases until a more permanent patch is found to plug the vulnerability.

Better safe than sorry

Hansen and Grossman said they have alerted industry majors such as Microsoft (IE8), Mozilla Foundation, Google, Apple Corp and Adobe so they could immediately start working on finding a solution to fix the problem. Software maker Adobe has already admitted in a company blog that one of its products is affected and it is working on a fix.

But this does not mean that the users will be safe until a solution is found and patched by the vendors, either separately or in the future versions of their software. Hence, precautions already proscribed by the security experts may well be the best anti-dote against the clickjacking vulnerability.