Researcher lifts lid on dangerous online scam
Hansen remained convinced that the place to stymie clickjacking attacks for now is within the browser. "Absolutely. There are ways to patch your own site using ‘frame-busting' code, but that doesn't work all the time and you'd have to update every single page with sensitive information. But I don't think it's unrealistic to think that the browser makers could release a quick patch," he said.
Hansen and Grossman have been in contact with the security teams at Microsoft, Mozilla and Apple responsible for Internet Explorer, Firefox and Safari, respectively. "I don't have any idea about their timelines," he acknowledged.
Even so, fixing browsers may in the long run be a shortsighted strategy. "Fixing each browser, as they get less and less alike, only adds a lot more complexity to the problem," Hansen said.
The trouble with that approach? "When Jeremiah and I were looking at clickjacking, we found all kinds of random browser bugs," said Hansen, describing the quantity as "tons of bugs" and a "mess load" of flaws. "A lot of them were unrelated to clickjacking. But as other researchers start looking at clickjacking, they'll find their own interesting bugs."
Many will be, as Hansen and Grossman found, browser- or platform-specific. "As browsers get less and less alike, this [browser-specific bug finding] will get more and more common," he said. Adding more code to plug clickjacking holes, with each browser handling the problem its own way, will invariably open them to new, as-yet-undiscovered attacks, Hansen argued.
For the moment, there's little that end users can do to protect themselves and maintain the internet's usability, said Hansen. One tactic, only available for Firefox users, is to install the NoScript add-on. "NoScript does a great job of supplementing [Mozilla's] slowness in patching, but it's not really the best way to protect users," Hansen said, referring to NoScript's content blocking, which can render some sites unusable.
"Finding a solution for clickjacking will be very complicated, which is why we don't see a quick solution," Hansen said. "But if we don't give it the attention it deserves now, it could be used in the future for much more effective targeted attacks."