We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

NoScript upgrade stops clickjacking attacks in Firefox

ClearClick detects & warns users about embedded scripts

NoScript, the security add-on for Firefox, has been upgraded to protect against clickjacking.

The new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the web page. It then displays a warning message asking the user if they still want to click on it.

Maone said ClearClick will likely stop all clickjacking attempts. NoScript is only for the Firefox browser, so users of Microsoft's Internet Explorer - the most-used browser in the world - are vulnerable.

Website owners, however, can take one step to prevent their users from falling victim, Maone said. Programmers can use a script on their websites that checks to see if a web page is embedded in another page. If so, the script forces the good web page in front, preventing clickjacking, Maone said.

The technique is called 'framebusting'. Ebay's online payments service, PayPal, which is frequently targeted by cybercriminals, has already implemented framebusting, Maone said. NoScript will allow a framebusting script to run, Maone said.

"The best thing that can happen is that website owners start to think more carefully about security," Maone said. "It is important that website owners spread the word that they should implement framebusting."

Clickjacking is a serious, potentially long-term problem for browser developers. Since the attack is enabled by a feature within HTML, it demands changes to the HTML specification.

Web standards groups are currently working on HTML 5, a specification that will incorporate new features into the programming language to accommodate future web design. But the standards process moves slowly, and changes to HTML could break existing web pages, Maone said.

"For the user, I'm afraid there's no fix but NoScript for the time being," he said.


IDG UK Sites

Best January sales 2015 UK tech deals LIVE: Best New Year bargains and savings on phones, tablets,...

IDG UK Sites

Chromebooks: ready for the prime time (but not for everybody)

IDG UK Sites

2015 visual trends: 20 leading designers & artists reveal what should be inspiring us in 2015

IDG UK Sites

Mac tips tricks & hacks: 10 things you didn't know your Mac could do