We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

12 Clickjacking threats affect every web user

Researcher lifts lid on dangerous online scam

Hansen remained convinced that the place to stymie clickjacking attacks for now is within the browser. "Absolutely. There are ways to patch your own site using ‘frame-busting' code, but that doesn't work all the time and you'd have to update every single page with sensitive information. But I don't think it's unrealistic to think that the browser makers could release a quick patch," he said.

Hansen and Grossman have been in contact with the security teams at Microsoft, Mozilla and Apple responsible for Internet Explorer, Firefox and Safari, respectively. "I don't have any idea about their timelines," he acknowledged.

Even so, fixing browsers may in the long run be a shortsighted strategy. "Fixing each browser, as they get less and less alike, only adds a lot more complexity to the problem," Hansen said.

The trouble with that approach? "When Jeremiah and I were looking at clickjacking, we found all kinds of random browser bugs," said Hansen, describing the quantity as "tons of bugs" and a "mess load" of flaws. "A lot of them were unrelated to clickjacking. But as other researchers start looking at clickjacking, they'll find their own interesting bugs."

Many will be, as Hansen and Grossman found, browser- or platform-specific. "As browsers get less and less alike, this [browser-specific bug finding] will get more and more common," he said. Adding more code to plug clickjacking holes, with each browser handling the problem its own way, will invariably open them to new, as-yet-undiscovered attacks, Hansen argued.

For the moment, there's little that end users can do to protect themselves and maintain the internet's usability, said Hansen. One tactic, only available for Firefox users, is to install the NoScript add-on. "NoScript does a great job of supplementing [Mozilla's] slowness in patching, but it's not really the best way to protect users," Hansen said, referring to NoScript's content blocking, which can render some sites unusable.

"Finding a solution for clickjacking will be very complicated, which is why we don't see a quick solution," Hansen said. "But if we don't give it the attention it deserves now, it could be used in the future for much more effective targeted attacks."

For more security news, reviews and tutorials, see Security Advisor


IDG UK Sites

Best Christmas 2014 UK tech deals, Boxing Day 2014 UK tech deals & January sales 2015 UK tech...

IDG UK Sites

LED vs Halogen: Why now could be the right time to invest in LED bulbs

IDG UK Sites

Christmas' best ads: See great festive spots studios have created to promote themselves and clients

IDG UK Sites

Why Apple shouldn't be blamed for exploitation in China and Indonesia