If you want to be loved, be lovable - Ovid
|
|
|
Advertisement
Subscribe to INQ newsletters
Advertisement
INQ Poll
Another form could be making you play a flash game in which you click repeatedly. Then they can measure your avg. response time and pop up a malicious dialog box (like for installing a malicious addon) at the right place at the right moment beneath your mouse pointer. That's why firefox has that wait time before the "install" button on the install addon dialog becomes usable.
Liek I said, the browsers are not broken. The article clearly states, "...as clickjacking - a malicious attack on web servers - is spreading..." and, "...This attack works by directing a user to a pre-determined webpage chosen by the hacker...". Where exactly is this (re)direction coming from? I'll tell you - a legitimate web page that has been hacked.

Despite that the article says, "Clickjacking, (we'll keep repeating it so it sounds real) has been identified as a vulnerability on many browsers..." - it is wrong. The browsers are doing exactly what they were designed to do - interpret code and execute that code. The problem is, the servers that host that code are "broke". That is, they are the ones vulnerable to the hacking, and therefore modification of the code, not the browser.

...and, Tim D - I did NOT say that I didn't know what I was talking about. I said that I don't know exactly how clickjacking works. Meaning that I don't know the specifics on how to do it, but I do understand how the process works. Learn to read more carefully so that YOU may know what you're talking about..
Although these comments focus on Adobe's vulnerability, clickjacking can also occur via everyday javascript. Here's what happens:

Your website, let's use "theinquirer.net" as an example, provides valuable articles which people want to see. But the authors need to put food on the table, and pay mortgages, so they work with someone such as "googlesyndication.com" to place ad banners on their pages.

There's a TRUST relationship established: The Inquierer trusts the Google links NOT to contain "evil stuff". And Google is pretty good about this, but I feel that Yahoo! is less careful. So the starting place for these problems is the fact that nearly every website you visit links to somewhere else....

And here comes the vulnerability: The other place can directly contain malware, but is far more often hacked to contain an INVISIBLE, one pixel-tall iframe to yet another site (often with .ru suffix, run by Russian mafia). Not only is the site displayed, but it contains a form-- and the vulnerability is basically this: Just displaying the <iframe> can allow the criminal site to automagicially execute the button click. And the button click, of course, can result in file uploads and all kinds of wreckage.

There IS a workaround, however. Giorgio Maone, the expert quoted in this article, has been enhancing "noscript". It's not totally free of user intervention, but it's very, very good. It prevents javascript on a site-bysite basis.

Right on THIS page, right now, NOSCRIPT is showing me that there's javascript code being downloaded from googlesyndication.com, google-analytics.com, vnu.net, and grapeshot.co.uk. (As well as some script from within theinquirer.net.)

I get to individually allow/deny the code from all these sites (and in fact, at this moment, most of them are denied-- that's the default). Firefox with the newest noscript is really the ONLY WAY to be safe with javascript active these days.

Do keep in mind how easy it is for hackerz to attack web sites hosted on iis. And the owners won't even SEE the microscopic <IFRAME> elements which have been added to attack their visitors, if they merely look at the site in a browser without analyzing the code. This is a real problem, and it's not just flash--

although "flashblock" takes care of that other problem, too. :))
Hey Ted, it doesn't have to be a "compromised" server. Scammers have servers, too, and people still click on links in email messages, etc.


its about time adobe got its act together, theyre as bad as java (sun), but unless you want a bland web experience youve no choice but to use um grrrrrrrrrrr.

they dont let the unwashed masses know how easy it is to lock it down, it wouldnt do would it, webmasters would look for an alternative if everybody messed with it so they couldnt keep god knows what on ya machine, porn webmasters love its wide open security !!!!! O_o

well apart from the crappy setting in the flash player, guess what folks, if ya go here :- http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html theres a miriad of security settings and others you can alter to your hearts content :O)

as i said, how come they keep it such a secret, hmmmmmmmmm O_o

@Ted, forget the servers/browsers, THEY cant alter YOUR personal settings, by default they are set to WIDE OPEN, go to it peeps, lock adobes crap down !!!!!! :O)
"but if I understand it correctly"

Apparently you do not. You probably should've stopped after the bit where you admitted that you don't know what you're talking about.
These aren't attacks, they're pitfalls.

Most "attacks" are possible because servers get compromised, and servers are most often compromised because they're serving up ads from anyone who will buy adspace.

Stop serving ads. Sanitize your inputs and queries. Ditch Adobe whenever possible (Flash, PDF). 99% of "attacks" mitigated.
Why does an application like Adobe Macromedia Flash have unrestricted access to the entire computer? If you still use this kind of software, you are being hit by your own ignorance. 'nuff said.
Leave a folded paper over your webcam when it's not in use. Lotech but effective.
Cameras with built in microphone are set up for this problem, but yet again a switch either built on new cameras or a plain switch for a usb for cameras already on the market...

Or as an auto rule I'm at the computer with clothing on.

Plus my camera is strictly used on what I want it used on so web browsers are out!
I admit I don't know exactly how this clickjacking works, but if I understand it correctly, it has to do with a server being compromised. If that assumption is correct, then it's no wonder why there is no "fix" for the browsers - it's because they are not broken. It's the servers that need to be secured.

It's like when an airplane gets hijacked - we're asking the passengers to protect themselves rather than asking the airline to provide better security.