Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Alarm Raised For "Clickjacking" Browser Exploit

timothy posted more than 5 years ago

Bug 308

Shipment Date writes "ZDNet's Zero Day blog has some new information on what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The threat, called Clickjacking, was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors. From the article: 'In a nutshell, it's when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'"

cancel ×

308 comments

Sorry! There are no comments related to the filter you selected.

Hurray for us lynx users! (5, Funny)

Anonymous Coward | more than 5 years ago | (#25156655)

*crickets*

Re:Hurray for us lynx users! (0)

Anonymous Coward | more than 5 years ago | (#25156697)

I was wondering who used lynx. I guess it's the crickets.

Re:Hurray for us lynx users! (1)

PIBM (588930) | more than 5 years ago | (#25157151)

Actually, I was using it yesterday ... I wish there was javascript support in lynx, I could not manage to login to gmail, even using the basic interface :(

Re:Hurray for us lynx users! (4, Informative)

saveth (416302) | more than 5 years ago | (#25157287)

Hmm, I'm able to use lynx to log into Gmail. Granted, I had to accept a million cookies and other things along the way.

Lynx Version 2.8.6rel.4 (15 Nov 2006)
libwww-FM 2.14, SSL-MM 1.4.1, GNUTLS 1.6.2, ncurses 5.6.20080308(wide)
Built on linux-gnu May 2 2007 08:54:50

Re:Hurray for us lynx users! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25157125)

I use links, at work, to read slashdot, over a ssh connection. I also like to eat shaved pussy.

Go Lynx! (2, Funny)

ag3ntugly (636404) | more than 5 years ago | (#25156675)

I knew there was a reason I liked lynx

Re:Go Lynx! (0)

Anonymous Coward | more than 5 years ago | (#25156799)

Besides speed, simplicity, clean interface and no freaking frills?

Re:Go Lynx! (4, Insightful)

lysergic.acid (845423) | more than 5 years ago | (#25157503)

i wouldn't exactly call the ability to render images "frills." i can understand if this were 1990 and the web was still mostly text-based. but the idea of a hypertext network and hypertext documents is to go beyond what normal text documents/interfaces could provide.

lynx has its merits, but calling all standard browsers too complicated or excessive is stretching it a bit. if lynx were just a basic browser that didn't have plugins, tabs, adblock, RSS readers, bookmarks, search tools, etc. then you could claim that other browsers have too many frills.

but lynx is a text-only browser. that's like saying a radio is a TV without the frills. stripping out core features does not make something have a cleaner interface or mean that the removed features are unnecessary.

Re:Go Lynx! (0)

Anonymous Coward | more than 5 years ago | (#25157301)

Yes, that reason is that you haven't tried w3m or links yet.

Re:Go Lynx! (1, Offtopic)

ag3ntugly (636404) | more than 5 years ago | (#25157447)

Actually, I use links quite a bit because, as I said in another post, when I click on links in Links, it works (at least in a a PuTTY window)

The first thing I thought of (4, Funny)

Anonymous Coward | more than 5 years ago | (#25156705)

was some weird mouse-mastubation scenario. *shudders*

Re:The first thing I thought of (2, Funny)

couchslug (175151) | more than 5 years ago | (#25157325)

"The first thing I thought of was some weird mouse-mastubation scenario."

"Mastubation"?? I'm picturing small rodents with catheters....

Even my capybara Lemmiwinks thinks THAT is sick.

Turn to Lynx? (2, Insightful)

TheDarkMaster (1292526) | more than 5 years ago | (#25156717)

Well, they can't steals clicks from a browser without clicks

Re:Turn to Lynx? (1, Redundant)

ag3ntugly (636404) | more than 5 years ago | (#25156921)

Precisely, but I wonder if Links is vulnerable? It's text based just like lynx but when I use putty to ssh into my box at home, and run Links, I can click on links and buttons and it works.

Re:Turn to Lynx? (3, Informative)

AKAImBatman (238306) | more than 5 years ago | (#25157045)

Precisely, but I wonder if Links is vulnerable?

Lynx and Links do not support IFrames, so they are not vulnerable. In fact, any browser not capable of advance CSS and/or IFrames is safe. Unfortunately, that's not very many browsers.

/me just checked email to find an official conversation going on about ClickJacking.

Re:Turn to Lynx? (1)

fataugie (89032) | more than 5 years ago | (#25157115)

Great News!
My Mosaic 1.0 is safe!

Information (5, Insightful)

asCii88 (1017788) | more than 5 years ago | (#25156725)

You call this "information"? It's not even clear what the exploit is about.

Re:Information (5, Funny)

eln (21727) | more than 5 years ago | (#25156883)

It's very similar to the DNS issue from a couple of months back: It's a hugely scary thing that will doom the Internet, but because we're responsible we can't tell you what it is in any detail. However, if you don't patch your browser immediately (patch not yet available), you are fucked.

Have a nice day.

Re:Information (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#25156985)

Exactly

Re:Information (0, Offtopic)

Anonymous Coward | more than 5 years ago | (#25157217)

It's a hugely scary thing that will doom the Internet, but because we're responsible we can't tell you what it is in any detail. However, if you don't patch your browser immediately (patch not yet available), you are fucked.

Sounds like every corporate and republican (arguably the same thing) pitch I've heard since the fall of '01.

Boo! Be very afraid, but we will keep you safe.

(By stunning co-incidence, my catchpa is (wait for it): fleece)

Re:Information (5, Funny)

Kaptainkid (1366757) | more than 5 years ago | (#25157355)

For additional support information. Click this link. LOL

Re:Information (5, Insightful)

OriginalArlen (726444) | more than 5 years ago | (#25157441)

There's a big difference. The first public news of the Kaminsky DNS issue was with the release of Microsoft's Patch Tuesday DNS update, with simultaneous patches from ISC for BIND and the other affects nameservers. Dan organised all that with the help of CERT and the DNS server vendor/distributors, without leaks. Once the patches and a vague description was out, people put two and two together pretty quickly - IIRC from the BlackHat preso, the first correct solution Kaminsky received was within 48 hours - and shrewd guesses were being made within two weeks (followed by the unfortunate leak which broadly confirmed the guess.) It sounds like the cat is well and truly out of the bag here, already, and there are no patches yet. Apart from the people at the conference, there's enough detail in the sources the ZDNet blog links to to make it pretty clear which direction the shrewd guesses (and testing) will have started on.

Looking on the bright side, more browsers than nameservers auto-update themselves...

(Incidentally the reason the Internet wasn't destroyed by the Kaminsky bug was precisely because of all the prior coordination and then unequivocal "patch now" messages from multiple credible sources (CERT, Vixie, Microsoft, the other respected researchers Dan explained it to under NDA, etc.) And anyway you ARE still fucked in the long run, anyway, because DNS is still spoofable by a determined attacker (which probably means one who's going after a very high value target) in the absence of DNSSEC. Hence the (by Fed terms, frantic) haste with which the .gov root is being signed at last.

Have a great day!

Re:Information (5, Informative)

AKAImBatman (238306) | more than 5 years ago | (#25157129)

It's about using IFRAMES + CSS to make confusing visual elements that cause users to perform actions they didn't think they were performing. Feel better? ;-)

Re:Information (1)

hesaigo999ca (786966) | more than 5 years ago | (#25157303)

Autoclicker...no?

Re:Information (4, Funny)

HikingStick (878216) | more than 5 years ago | (#25157393)

You mean like the way the new Slashdot interface causes a lot of the comments to overlap, so you think you're clicking on that +3 Interesting one and you end up clicking a -1 Troll on the RNC veep candidate in a bikini...except much worse, I mean.

Re:Information (2, Funny)

AaxelB (1034884) | more than 5 years ago | (#25157369)

And, suspicously, TFA itself is hidden behind a link! Do they really expect us to click it??

...I did click it. What a useless article.

It's a fundamental flaw with the way your browser works and cannot be fixed with a simple patch.

Oh no! There's nothing we can do!

In the meantime, the only fix is to disable browser scripting and plugins.

Uh... wha? I thought it didn't have to do with browser scripting and plugins?

So it's big and scary and you can't protect against it, except by taking basic precautions to protect yourself against it. I see.

Never gonna... (4, Funny)

null etc. (524767) | more than 5 years ago | (#25156729)

Oh great. Expect a resurgence in rickrolls. No one can protect you!

Re:Never gonna... (1)

Theoboley (1226542) | more than 5 years ago | (#25157071)

If that were the most of our worries here, It'd be hilarious! Sadly, all your computers are belong to this clickjacking....

Absolutely fascinating (0)

Anonymous Coward | more than 5 years ago | (#25157105)

I'm expecting this gem [youtube.com] to be the next Rickroll. Thanks MST3K. :)

Re:Never gonna... (2, Funny)

nine-times (778537) | more than 5 years ago | (#25157109)

With all the horrible things on the Internet, you're worried about rickrolls? Have some priorities.

We're all going to end up seeing goatse.cx again.

Re:Never gonna... (4, Funny)

Joe Snipe (224958) | more than 5 years ago | (#25157293)

We're all going to end up seeing goatse.cx again.
yeah but now it will have Rick Astley playing in the background...

Re:Never gonna... (2, Funny)

Kvasio (127200) | more than 5 years ago | (#25157479)

yeah but now it will have Rick Astley playing in the background...

Do you mean his music or that Rick will be on "giver.jpg" this time?

FF 3.0.2 safe? (2, Informative)

DavidR1991 (1047748) | more than 5 years ago | (#25156747)

Fairly certain this is one of the listed fixes for 3.0.2, but I could be wrong (Or is this _another_ kind of clickjacking flaw?)

Re:FF 3.0.2 safe? (1, Informative)

Anonymous Coward | more than 5 years ago | (#25156895)

Re:FF 3.0.2 safe? (2, Insightful)

erroneus (253617) | more than 5 years ago | (#25157267)

That's not it because the description says that disabling Javascript will not help. The bug indicated by you says disabling Javascript will help.

Clickjacking? (0)

Anonymous Coward | more than 5 years ago | (#25156753)

Isn't that what happens *after* you visit a pr0n site?

Summary wrong (5, Informative)

mazarin5 (309432) | more than 5 years ago | (#25156769)

The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you.'

The quote from the article says you can protect yourself by disabling scripting:

In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesnâ(TM)t give people much technical detail to go on, but itâ(TM)s the best we can do right now.

Re:Summary wrong (4, Informative)

Free the Cowards (1280296) | more than 5 years ago | (#25156813)

The first quote is also from the article, so it's not the summary's fault. The article is vague and self-contradictory, so I'm calling bullshit until and unless further details are given.

Re:Summary wrong (1)

Aphoxema (1088507) | more than 5 years ago | (#25156909)

Probably just some asshole trying to make some word popular so later when the people they're trying to impress say it in conversation, they can go "Yeah?! Clickjacking! Did you know I came up with that word!?"

Re:Summary wrong (5, Informative)

jesser (77961) | more than 5 years ago | (#25157003)

The zdnet article is pretty vague, but I think it refers to the problem detailed in this message from Michal Zalewski [whatwg.org] :

"A malicious page in domain A may create an IFRAME pointing to an application in domain B, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B, such as 'delete all items', 'click to add Bob as a friend', etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site A, inviting the user to click it."

Disabling JavaScript won't prevent the attack. It will break some mitigations, though!

Re:Summary wrong (5, Interesting)

jesser (77961) | more than 5 years ago | (#25157139)

FWIW, this isn't exactly a new idea. roc and I discussed it back in 2002 [mozilla.org] .

I'm glad it's getting attention now, though. Any fix is likely to require changes to specs.

Re:Summary wrong (2, Informative)

hvm2hvm (1208954) | more than 5 years ago | (#25157385)

If that's the case, then all you have to do is look at the address bar and see if you really are on the site you are seeing. If you click on a link and find yourself looking at your page on a social network while the address says "spam.dyndns.com" you should realize something is wrong.

Re:Summary wrong (0)

Anonymous Coward | more than 5 years ago | (#25157111)

.... so I'm calling bullshit....

I'm calling shenanigans! [wikipedia.org]

Re:Summary wrong (4, Informative)

sootman (158191) | more than 5 years ago | (#25157153)

+1 for "vague and self-contradictory."

From TFA: "The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you." and then "The exploit requires DHTML." As far as I know, DHTML requires a client-side scripting language--the most popular of which (only?) is JavaScript.

Re:Summary wrong (5, Informative)

kesuki (321456) | more than 5 years ago | (#25157013)

the problem is actually in dhtml, but javascript makes the exploit 'much easier'

hence, the attack sites will all be using javascript, because it's easier than writing it entirely in dhtml just to score and extra 1 click from the guy who disabled javascript because he doesn't trust it.

BTW: in theory even sites like slashdot can be infected because the attack applies to all CSS coded sites. nice.

oh, BTW, is you have noscript installed, this vulnerability can only force clicks within the same domain, since cross site code is automatically disabled.. AFAIK the only way to disable CSS is to use obsolete browses like lynx.

Re:Summary wrong (3, Informative)

Free the Cowards (1280296) | more than 5 years ago | (#25157051)

I thought "DHTML" was just a term for manipulating the DOM on the fly using JavaScript. How do you do DHTML without JavaScript?

Re:Summary wrong (0)

Anonymous Coward | more than 5 years ago | (#25157141)

Well CSS has events as well

Re:Summary wrong (4, Insightful)

HTH NE1 (675604) | more than 5 years ago | (#25157347)

Try the CSS pseudoclass :active to move things around, like make a facade image positioned to cover a real button disappear with display: none;.

Re:Summary wrong (1)

Free the Cowards (1280296) | more than 5 years ago | (#25157395)

Makes sense, thank you for explaining that.

Re:Summary wrong (5, Insightful)

HTH NE1 (675604) | more than 5 years ago | (#25157397)

Try the CSS pseudoclass :active

And here is an example [bonrouge.com] .

Thank Jeebus! (5, Funny)

Anonymous Coward | more than 5 years ago | (#25156773)

Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!

Re:Thank Jeebus! (5, Funny)

Roberticus (1237374) | more than 5 years ago | (#25157159)

Finally I have a legitimate excuse for all the pr0n sites that are in my browser history. No honey, it isn't me, it's a browsers exploit! I swear!

I don't know how things work for you, but saying that I just got clickjacked is only going to get me into more trouble, not less.

Bullshit? (4, Insightful)

sakdoctor (1087155) | more than 5 years ago | (#25156779)

I don't think this exploit really exists. A cross browser cross platform exploit that doesn't use javascript?
Won't be losing any sleep over this one.

Re:Bullshit? (1, Informative)

Anonymous Coward | more than 5 years ago | (#25156867)

Adobe was mentioned in TFA, no specific details were given but I'd guess that flash is implicated.

Re:Bullshit? (1)

Spy der Mann (805235) | more than 5 years ago | (#25157193)

God bless Flashbock!

Konqueror? (0)

Anonymous Coward | more than 5 years ago | (#25156787)

Anybody know if/how Konqueror is affected by this??

Re:Konqueror? (4, Funny)

eln (21727) | more than 5 years ago | (#25156923)

The summary clearly states that only lynx is not affected. It's pretty obvious what's going on here: the exploit is a nefarious plot to make everyone switch over to lynx, thereby crippling the non-text-based porn industry.

Re:Konqueror? (4, Funny)

moderatorrater (1095745) | more than 5 years ago | (#25157101)

I knew that sticking with ASCII porn would pay off someday.

Premature claim (4, Interesting)

clang_jangle (975789) | more than 5 years ago | (#25156829)

scary new browser exploit/threat affecting all the major desktop platforms

I didn't find that information in TFA or in any of the TFAs linked in TFA (here [adobe.com] here [ckers.org] here [blogspot.com] here [webadminblog.com] ). Though it may be so; it sounds like this exploit makes use of the browser's access to the clipboard.
Elinks FTW!

Re:Premature claim (1)

kesuki (321456) | more than 5 years ago | (#25157181)

actually, i wiki'ed Dhtml and that is where you get the 'cross browser' information http://en.wikipedia.org/wiki/Dynamic_HTML [wikipedia.org]

seems like it's a fundamental flaw in CSS files, after adding noscript https://addons.mozilla.org/addon/722 [mozilla.org] to firefox add cssviewer https://addons.mozilla.org/en-US/firefox/addon/2104 [mozilla.org]

this allows you to find in the css the code that causes the clicking, and FWIW javascript does make the exploit massively easier, but is not needed, all one needs is to design a css file that does the desired clicks in a 0 pixel frame, and attach it to a nice little dancing pig flash game on that people will forward to all their friends.

Seems like another buzzword (2, Insightful)

robinsonne (952701) | more than 5 years ago | (#25156843)

From reading TFA (I know, silly me) this seems to be pretty much fear-mongering with a fancy new buzzword. "Clickjacking" oooo scary!

Until some real technical details come up I'd say nothing to see here, move along.

Re:Seems like another buzzword (0)

Anonymous Coward | more than 5 years ago | (#25157363)

Since it's claimed to affect any major browser, who would benefit from this fear-mongering then?

OWASP (4, Interesting)

Lord Ender (156273) | more than 5 years ago | (#25156881)

was to be discussed at the OWASP conference but was nixed at the last minute at hte request of affected vendors

Well, add OWASP to the list of security organizations with no integrity. It's clear they care about their sponsors, not their members.

Re:OWASP (1, Informative)

Anonymous Coward | more than 5 years ago | (#25157251)

So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information weâ(TM)d have to be sharing. Weâ(TM)d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but weâ(TM)d rather a few of the more critical problems get patched before we go public.

However, I must stress, this is not an evil âoethe man is trying to keep us hackers downâ situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasnâ(TM)t an easy decision but it really feels like the best option we have given the current situation. If youâ(TM)re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.

Taken from http://ha.ckers.org/blog/20080915/clickjacking/ [ckers.org]

Re:OWASP (1)

Lord Ender (156273) | more than 5 years ago | (#25157299)

Ah, OK. I withdraw my criticism of OWASP as the cancellation seems not to be their fault. Apologies, guys.

Re:OWASP (2, Informative)

skis (920891) | more than 5 years ago | (#25157337)

Actually, the presenters were the ones that made that decision.

So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information we'd have to be sharing. We'd much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue.
-from ha.ckers.org

Re:OWASP (0)

Anonymous Coward | more than 5 years ago | (#25157373)

Said the ueberleet sysadmin who would like to have every single detail of the exploit known so that he may patch or mitigate the issue on the machines he administrates before the handful of people who -may- currently know about this can get to his machines in a fully targeted and surreptitious attack; concluding "sucks to be you" the following day to all the non-ueberleet sysadmin common people when they get pwnd by dozens of scriptkiddies and less methodical ne'er-do-wells after aforementioned exploit detailage made it readily possible for everybody and their dog to use it.

Re:OWASP (1)

Lord Ender (156273) | more than 5 years ago | (#25157533)

I'm an IT security penetration tester, not a sysadmin. And I want all the details of all known security vulnerabilities. Anything less puts me at a disadvantage to those who do have full details.

And with the advent of organized crime into the hacking scene, you just can't assume white-hat researchers are the only ones discovering these vulnerabilities.

Short on explanations (1)

stuntpope (19736) | more than 5 years ago | (#25156889)

FTA: "The issue has nothing to do with JavaScript...", "Javascript is not required to exploit this....", "The exploit requires DHTML." Anyone care to educate me on these seemingly contradictory statements? (and yes, I know DHTML could utilize a different, non-JS scripting language). What else is DHTML but HTML, scripts that run in the browser's scripting engine, and CSS?

How does it work? (0)

Anonymous Coward | more than 5 years ago | (#25156901)

So how does it work now?

Lynx is safe, but all other's are not. But disabling Javascript doesn't help?
Then there is
"In the meantime, the only fix is to disable browser scripting and plugins"
So what exactly does "browser scripting" mean, if not Javascript?

didn't click (5, Funny)

big whiffer (906132) | more than 5 years ago | (#25156907)

i didn't even click on this story; someone must want me to read this...

One of these things is not like the other. (5, Insightful)

Tackhead (54550) | more than 5 years ago | (#25156925)

Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

Web browser, Web browser, Web browser, Web browser, and cross-platform method for running code delivered from untrusted sources.

From TFA:

"The threat, called Clickjacking, was to be discussed at the OWASP NYC AppSec 2008 Conference but, at the request of Adobe and other affected vendors, the talk was nixed until a comprehensive fix is ready."

One vendor is, unlike the others, mentioned by name. It happens to be the vendor that ships The One Thing That Is Not Like The Others.

Also from TFA:

"According to someone who attended the semi-restricted OWASP presentation, the issue is indeed zero-day, affects all the different browsers and has nothing to do with JavaScript:"

and

"In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn't give people much technical detail to go on, but itâ(TM)s the best we can do right now."

Now we're at a quandary. Your humble correspondent is at a loss to even speculate as to the nature of a technology that Ffirstly isn't Javashit, but which can conceivably be invoked by web content regardless of which web browser is in use, but lastly can be secured against by disabling hated plug-ins.

Re:One of these things is not like the other. (1)

melikamp (631205) | more than 5 years ago | (#25157063)

Mod it up, boys.

Re:One of these things is not like the other. (5, Interesting)

Chysn (898420) | more than 5 years ago | (#25157065)

> Now we're at a quandary. Your humble
> correspondent is at a loss to even speculate as
> to the nature of a technology that Ffirstly isn't
> Javashit, but which can conceivably be invoked by
> web content regardless of which web browser is in
> use, but lastly can be secured against by
> disabling hated plug-ins.

It's a Flash exploit. I found a proof-of-concept by clicking around TFA, and it promised that the Flash movie would take over my clipboard, forcing me to close the browser window. I'm on Firefox 3.0.2, and the "proof-of-concept" did nothing.

At least nothing obvious. I suppose I could have been rootkitted.

Re:One of these things is not like the other. (1)

stuntpope (19736) | more than 5 years ago | (#25157247)

Oh, do you think so?

(sorry ;)

Firstly lastly hated plug-ins.

Re:One of these things is not like the other. (0)

Anonymous Coward | more than 5 years ago | (#25157527)

Did you even try pasting from your clipboard?

Re:One of these things is not like the other. (0)

Anonymous Coward | more than 5 years ago | (#25157075)

Bravo. I'd mod your post up if I could.

Re:One of these things is not like the other. (0, Troll)

X0563511 (793323) | more than 5 years ago | (#25157165)

Hmm, and hot on the heels of a few other security vulnerabilities.

I'm really hoping crackers exploit the hell out of flash until it's ground underfoot. If we try to do the nice thing, and suggest/recommend PROPER ways of using Flash, and the only thing we get is a resounding 'fuck you,' I think screwing flash over is called-for.

It's a shame Adobe doesn't put something in their toolkit ELUAs about proper use of Flash.

Re:One of these things is not like the other. (1)

jefu (53450) | more than 5 years ago | (#25157459)

proper use of Flash

I suspect that Adobe feels that any and all use of Flash is proper use, as do many designers who don't want to cope with HTML and javascript, marketers (who can enforce your watching their videos/animations/...), and lots of others who paid someone to build flash and want their money's worth.

But then I'm a Cranky Old Fart - so get off my browser/lawn.

IPhone Users Rejoice! (1)

Vandil X (636030) | more than 5 years ago | (#25157463)

...the lack of Flash support in Mobile Safari is now a security feature!

I was clickjacked (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25156931)

There was this slashdot article here [slashdot.org] .

Turns out some hacker clickjacked the link, replacing it with a useless link with no detail or value added. It is getting more and more common on slashdot.

The fix is ... (0)

Anonymous Coward | more than 5 years ago | (#25156949)

p0rn mode

There is nothing to see here.... (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25156957)

Please don't click here [208.65.153.238] , whatever you do. I know it is hard to resist temptation, who knows what this link holds, but I urge you not to click this link. It is much better to go to bed, sleeping nice and warm, knowing that you did not click the above link. Ever. I mean it. Clicking this link is not good for you.

Re:There is nothing to see here.... (1)

X0563511 (793323) | more than 5 years ago | (#25157177)

That doesn't work. I didn't click and I don't feel either way about not clicking. Meh.

Using CSS + JS To Find Visited Links (1)

WebmasterNeal (1163683) | more than 5 years ago | (#25156979)

This could be totally unrelated to this exploit but I devised a way to do something like this in the past where I'd use javascript to check whether a link on a page has been visited by the user or not based on what color it was. Given a huge list of websites, you could weed out what sites a user has visited and what sites they haven't by dynamically adding them to the page, then looping through the links using javascript. It could then potentially be written to a log file with the users IP.

But does it affect the links browser? (2, Interesting)

rwa2 (4391) | more than 5 years ago | (#25157041)

Using the links browser in a terminal with mouse support is almost exactly like using a browser with images turned off...

Witness:
http://www.jikos.cz/~mikulas/links/screenshots/png.html [jikos.cz]

Re:But does it affect the links browser? (0)

Anonymous Coward | more than 5 years ago | (#25157239)

1) it affects flash, so no, links is not affected
2) links is not like using a normal browser, monospace color characters cannot do correct formatting. Although, for a terminal browser, links is fairly impressive
3) I don't know how well linking to some tiny server with a page full of photos on slashdot will turn out

viral browser market cleaning (2, Insightful)

sarbrot (1024257) | more than 5 years ago | (#25157079)

ok - i read TFA, scanned all the links blogs, their trackbacks and comments and from what i've seen there is no real info on what this is. Thinking about it for 2 minutes I had this idea that this will be best chance ever to get rid of IE6. My hope is that all the browser vendors (including MS) have conspired that maybe 3 weeks of making scary "clickjacking" news and pushing them to the main media outlets will eventually raise awareness to let go of that horrible thing that's keeping the web from really evolving. finally a good excuse to disable your content for outdated browsers that aren't patched any more because the user might accidently the whole clickjack. But in the end - if the download links don't get clickjacked that is - MS will propably release some stupid patch that prevents IE6 from clickjacking alltogether and it will be 3 more years before IE6 leaves for good....

Scary? (4, Insightful)

pyrr (1170465) | more than 5 years ago | (#25157123)

I'm trying to think of the ways this could be used to cause harm, so far the biggest threat I see is to the pay-per-click ad model, since this would be great for clickfraud. Other than that, a website could bounce you to another page on their site that you didn't intend to go to, and possibly overwhelm your browser & bandwidth with a redirect loop. I can see a hint of an issue in the way frames might be used with this exploit and 3rd-party sites (as noted in the article), but that seems to be a bit of a stretch since the original site would still be sending someone away from their site in another redirect. Plenty of sites who make the choice to be annoying already make you go through a little effort to break out of their frames when you go to an external site from one of their links, it's not the end of the world.

I'd like to hear other folks' ideas on ways this may be used for an exploit that could do damage to anything other than Google's bottom-line. Until I hear a more compelling one, this exploit doesn't strike me as being the least bit "scary". A "small potential nuisance" might be a more apt description, since it would be fairly simple for end users to just ignore its effects.

zomg Flash is insecure (2, Funny)

RockMFR (1022315) | more than 5 years ago | (#25157133)

Details at 11.

Fix for firefox here (-1, Troll)

Anonymous Coward | more than 5 years ago | (#25157147)

here [nimp.org]

Think about it... (1)

IrishLimey (938545) | more than 5 years ago | (#25157149)

Ever almost accidentally click on an AD that had popped up just as you were going to click on a link?

Why is this a problem? (1)

Jimmyisikura (1274808) | more than 5 years ago | (#25157167)

If it hijacks clicks IN browser, you just use alt-f4 to close it down, most people won't even have loaded the page by then. I don't understand how this is worse than malicious redirects. And since most websites people rely on use flash/scripts, I don't see the use in cutting scripts off.

What is missing is accountability. (1)

bboxman (1342573) | more than 5 years ago | (#25157195)

The coverage here sounds overhyped. Hype aside, the true nature of the problem is that software vendors are not held accountable to defects in their products (by drafting EULAs that basically negate any responsiblity to any such defect).

We'd have less exploits if vendors, such as M$, were held liable to any damage incurred by their customers.

DETAILS OF THE EXPLOIT! (1, Funny)

Anonymous Coward | more than 5 years ago | (#25157205)

The exploit was first discovered at about 7:30 am after blogger Ryan Naraine's boss noted several "odd" adult sites appeared in mister Nariane's browser history.

So far, the exploit seems confined to browsers on Mr. Nariane's desktop, so users of effected browsers are urged to apply all public OS/browser patches and to stay away from Ryan's desktop.

And Crome? (2, Interesting)

DeltaQH (717204) | more than 5 years ago | (#25157285)

Is crome affected? ;-)

I've seen this as a bug (4, Interesting)

Skapare (16644) | more than 5 years ago | (#25157317)

I've seen situations that otherwise look like benign layout bugs, where two or more hyperlinks or other clickable objects end up being overlayed on each other. It's not clear which one would be activated until you click. If someone intentionally did this AND obscured the object they wanted the victim to click, and made the other object more attractive, people might be doing such clicking. This could be easily done with CSS on one page, but there's not advantage since both links are just part of the same page. I don't think frames would do this. However, IFRAMES might do this on a cross "page" basis. The perp makes an attractive link that overlays over an iframe that is loaded from another page, so the act of clicking gets the victim to effective click on the other page. This loads something else in the iframe, but from the perpective of that other web site, it was a click on their page (based on the referer value). The simple exploit would get people to click on an ad, and it would not be visible to the ad vendor which page was doing the exploit.

My take (4, Informative)

Spy der Mann (805235) | more than 5 years ago | (#25157455)

From google cache:

Clickjacking

Thereâ(TM)s been a bit of drama over the last week or so around the upcoming world OWASP conference in New York. Itâ(TM)s surrounding a talk that Jeremiah and I were planning on doing the first day of the conference. Jeremiah and I have been working on some interesting browser security issues which also effect a lot of downstream people/websites/technologies as well. Sounds like a good talk right? We thought so too!

Alas, it turns out that some of the issues we found werenâ(TM)t just a little bad - they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof - we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And weâ(TM)ve only worked with a few vendors. So⦠yah. Itâ(TM)s pretty bad.

As you may have guessed the first is a browser company, Microsoft (to be expected since itâ(TM)s a browser issue to begin with). The second is Adobe - who have been working closely with us on this one since we first told them about the problem. We have been working on proof of concept code since before Blackhat and finally got our ducks in a row with real working exploit code a few weeks ago. And that is pretty much when the problems started. None of the issues we found relating to the browser were particularly easy to fix, it turns out.

The related issues we found that affect websites (instead of browsers) is thankfully slightly easier to deal with on a one off basis, but that too is going to be a problem. There are a lot of much easier hacks out there against websites for sure, but what weâ(TM)ve been working on breaks some previously good security measures. The correct solve will not be patching every web-site on earth. Instead it will likely end up being a browser patch against every major browser. The idea of every webmaster in the world patching their own sites is a non-starter. Although Iâ(TM)m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere. Weâ(TM)ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment.

So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information weâ(TM)d have to be sharing. Weâ(TM)d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but weâ(TM)d rather a few of the more critical problems get patched before we go public.

However, I must stress, this is not an evil âoethe man is trying to keep us hackers downâ situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasnâ(TM)t an easy decision but it really feels like the best option we have given the current situation. If youâ(TM)re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.

This entry was posted on Monday, September 15th, 2008 at 5:36 pm and is filed under Webappsec. You can leave a response as well.

And from the Adobe report:

Thanks to Jeremiah Grossman and Robert "RSnake" Hansen

Robert âoeRSnakeâ Hansen and Jeremiah Grossman recently shared with us some information they were planning to include in an upcoming presentation at the OWASP NYC AppSec conference. The presentation centered around an issue that affects multiple browsers and websites, and, as it turns out, one of our products. While they saw this issue as primarily a web browser issue, they showed us that one of their demos included an Adobe product. We worked together with Robert and Jeremiah to assess the impact of this issue, and they determined that it was in our customersâ(TM) best interest to refrain from making this issue public until Adobe and web browser vendors have a chance to provide a fix or fixes to our mutual customers. We want to say thank you to Robert and Jeremiah for working with us and other vendors on this issue. We will continue to provide further information about this as it becomes available.

My take is that it's a cross-site vulnerability that can be exploited either with javascript (most probably a lack of security in the DOM implementation) or Flash. After all, how hard is it in javascript to set the innerhtml of an empty element to a form method="GET" and then do myevilform.submit() ? I'm sure Flash can do that, too. And the vulnerability probably resides in the standard DOM/CSS implementation with methods accessible to both javascript and browser plugins.

After this, I'm suddenly interested in the noscript plugin. I never had downloaded it but I think it's time to do so.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>