So…”clickjacking.” Is it a new browser security concern or a new offering from the Land of F.U.D.?
According to SecTheory’s CEO, Robert Hansen, “clickjacking” is similar to cross-site request forgery, where unauthorized commands are sent from a user that a website believes to be legitimate. Hansen and WhiteHat Security’s CTO, Jeremiah Grossman, recently shared their concerns with Computerworld on how attackers (or as I like to call them, “jerks who ruin the Internet for everyone else”) get around the current security features in browsers via clickjacking:
“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls,” Grossman said in an e-mail on Friday. “Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”
So if clickjacking will be the rage for less-than-savory types, can anything be done about it? Although the two security people say they’ve contacted Microsoft, Mozilla, and Apple about their respective browsers, they warn that the best defense is to, “use Firefox with the NoScript add-on installed.” Hmmm….veeeery interesting…. Some days, I do wonder if I should just completely turn off the Internet for ever and ever-but then I wake up.
This sounds exactly like what unscrupulous advertisers have done ever since pop-up blockers became common, which is to hijack the first click on the webpage and use that to open a pop-up (or pop-under). There's absolutely nothing new here.
Good thing Cyberjack is dead or rather never had much of a life.