We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
78,721 News Articles

NoScript upgrade stops clickjacking attacks in Firefox

ClearClick detects & warns users about embedded scripts

NoScript, the security add-on for Firefox, has been upgraded to protect against clickjacking.

The new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the web page. It then displays a warning message asking the user if they still want to click on it.

Maone said ClearClick will likely stop all clickjacking attempts. NoScript is only for the Firefox browser, so users of Microsoft's Internet Explorer - the most-used browser in the world - are vulnerable.

Website owners, however, can take one step to prevent their users from falling victim, Maone said. Programmers can use a script on their websites that checks to see if a web page is embedded in another page. If so, the script forces the good web page in front, preventing clickjacking, Maone said.

The technique is called 'framebusting'. Ebay's online payments service, PayPal, which is frequently targeted by cybercriminals, has already implemented framebusting, Maone said. NoScript will allow a framebusting script to run, Maone said.

"The best thing that can happen is that website owners start to think more carefully about security," Maone said. "It is important that website owners spread the word that they should implement framebusting."

Clickjacking is a serious, potentially long-term problem for browser developers. Since the attack is enabled by a feature within HTML, it demands changes to the HTML specification.

Web standards groups are currently working on HTML 5, a specification that will incorporate new features into the programming language to accommodate future web design. But the standards process moves slowly, and changes to HTML could break existing web pages, Maone said.

"For the user, I'm afraid there's no fix but NoScript for the time being," he said.


IDG UK Sites

Motorola Moto G2 release date, price and specs: Best budget smartphone gets upgrades

IDG UK Sites

How to join Apple's OS X Beta Seed Program: Get OS X Yosemite on your Mac before public release

IDG UK Sites

Why the BBC iPlayer outage was caused by a DDoS attack: Topsy and Tim isn't *that* popular

IDG UK Sites

How to make an 'Apple iWatch' using an iPod nano and a 3D printer