We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,994 News Articles

12 Clickjacking threats affect every web user

Researcher lifts lid on dangerous online scam

The full extent of the 'clickjacking' threat has been revealed, after the security researchers who two weeks ago warned of new vulnerabilities in browsers, websites and popular plug-ins, revealed a dozen variants of the bug which could affect every web user.

Robert Hansen, founder and chief executive of SecTheory and Jeremiah Grossman, chief technology officer at WhiteHat Security, highlighted their discovery of clickjacking at a security conference earlier this year, and it's swiftly become the menace of the moment for the security industry. It works by fooling people into clicking on a seemingly innocent link in a browser - such as a button for submitting a story to Digg - and then serving up a nasty surprise. However, the researchers were persuaded last month by Adobe to withhold details of the threat until solutions were found.

But on Tuesday, Israeli researcher Guy Aharonovsky posted a proof-of-concept demonstration that uses clickjacking tactics to invisibly reset Adobe's Flash privacy settings, and secretly turn on the computer's webcam and microphone for remote spying.

With the cat out of the bag, Adobe gave Hansen and Grossman the go-ahead to get specific about their findings. Hansen then posted a list of 12 different clickjacking scenarios on his blog.

"The list doesn't cover all the other kinds of plug-ins that are vulnerable, or all the browsers or all the websites," Hansen said in an interview with Computerworld US. "The list got so long so fast that it was impossible to keep track of all the sub-issues.

"There are multiple variants of clickjacking," Hansen added. "Some require cross domain access, some don't. Some overlay entire pages over a page, some use iFrames to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't."

FAQ: Clickjacking - is your PC at risk?

Webcams and mics hijacked in 'Clickjacking' attacks

Of the dozen he spelled out, only two have been resolved. Adobe has not, for example, patched Flash against one of the clickjacking vulnerabilities Hansen and Grossman reported to the company. Adobe issued a security advisory on Tuesday, however, with instructions on how to secure Flash against webcam and microphone hijacking in lieu of a patch.

"[Aharonovsky's] proof-of-concept was just a demonstration, but clickjacking can do all kinds of things," Hansen said today. "If you think about the traditional web applications that have a 'Confirm' button or an 'Add a friend' button or any kind of single-button click, they're all going to be more vulnerable now."

But he also said there's no reason to panic; clickjacking wouldn't make the internet a much more dangerous place in the short term. "If we assume that the majority of web applications are vulnerable to some exploit, and they are, then clickjacking is making things worse, but it's already so bad that it doesn't really matter," Hansen said.

"We made it very clear that we didn't feel that this was the end of the Earth," he continued. "However, that doesn't lessen the ultimate severity of problems like monitoring people remotely with webcams or getting people to transfer money from their bank accounts."


IDG UK Sites

45 Best Android games: top Android games for your smartphone or tablet in 2014 (24 are free!)

IDG UK Sites

How Apple, Adobe, Microsoft and others have let us down over UltraHD and hiDPI screens

IDG UK Sites

Do you have the X-Factor too? Mix Off app puts fans in the frame

IDG UK Sites

iPad Pro release date, rumours and leaked images - 12.9 screen 'coming in 2015'