Read us also at http://www.chipzilla.com, chipzilla.org, chipzilla.net
|
|
|
Clickjacking is bad
CLICKJACKING, a relatively new way for criminals to wreak havoc on the Internet, is getting a bit more open thanks to an insecurity consultancy.
Context Information Security has launched a browser-based tool, currently in beta, that should help developers understand the risks associated with the hacker method in which users are tricked into performing actions they might not want to do on a web site by hiding clickable elements within an invisible frame.
Context warned that despite the threat being around for a couple of years, no one has ever done anything about it. We don't know why it is complaining, since that means that its beta product is the only cure out there. Still it hopes that by making it available, web firms will be able to react and respond to the clickjacking threat.
The tool was previewed at this week's Blackhat Europe 2010 talks and released just one day after. Context said that it could be used to simulate attacks and gain more understanding about the techniques involved.
In his talk at the Blackhat event, Context's Paul Stone demonstrated a number of cross-browser hacking techniques and discussed browser-specific vulnerabilities in Internet Explorer, Firefox, Safari and Chrome, which he said could be used to take full control of a web application.
The Context clickjacking tool is currently only available for Firefox 3.6; releases for other browsers will follow. µ
Share this:
Share
no script can be quite workable solution for all - just enable scripts globally in noscript and it'll filter only clickjacking. too easy.
for folks that values their web experience (and security) "full mode" is necessity - you'll see websites in their pure form, no crap attached (floating, popping, bugging ...). enjoy
I use noscript too (like every sensible person BB), and I've come across some hidden iframe click hijacking warnings but they were almost all false alerts and the hidden aspect was part of the functionality, that is to respond on graphs for redrawing and turn the page and such, so the point is that just because something is hidden doesn't mean it's bad, although I guess the coders could use other methods perhaps.
How about not regurgitating the same old tired "nonscript" non-solution that the majority of people will not ever bother with?
something has been done. get on the boat dude, yer info is way outdated.
NoScript has been blocking this for a while now. How about actually reporting and not just vomiting forth a slightly rewritten press release/blog post.