Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fixes Released (and More Promised) For "Clickjacking" Exploits

timothy posted about 6 years ago | from the no-death-penalty-for-online-jerks dept.

Security 70

An anonymous reader writes "As discussed previously on Slashdot, concern has been raised over a class of 'clickjacking' vulnerabilities which affect all major Web browsers. These exploits allow an attacker to place invisible or seemingly legit objects on a Web page that perform undesired actions when a user clicks on them. In recent developments, 'Guya' posted a scary proof-of-concept that hijacks Adobe Flash Player to spy on users with a webcam and/or microphone. In response, Adobe released an advisory with a temporary workaround, and stated that a future Player update will address the exploit. This prompted the original disclosers of the vulnerabilities to post a summary of the exploits. Additionally, Giorgio Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds 'ClearClick,' a feature that intercepts clicks made on invisible or otherwise obscured elements on a page. Although issues remain, there seems to be progress in addressing these security problems."

Sorry! There are no comments related to the filter you selected.

Has... (0)

Anonymous Coward | about 6 years ago | (#25320545)

Anyone actually seen a POC of clickjacking? I know I haven't...

Re:Has... (3, Interesting)

snl2587 (1177409) | about 6 years ago | (#25320669)

Well, an example is the "Get Add-on" link on the NoScript website: clicking it causes an iframed link from Mozilla's add-on page to be "clicked" instead.

Clickjacking's new in terminology only.

Re:Has... (2, Insightful)

Anonymous Coward | about 6 years ago | (#25320701)

But that's the user clicking on a visible item, simply embedded in the page. It's misleading, sure! But it's not the same as having a user click anywhere and it hitting an invisible item that does something completely unrelated to whatever's displayed.

Re:Has... (4, Funny)

Anonymous Coward | about 6 years ago | (#25320875)

I was describing this article to my boss, and here is what he said to me verbatim. My Emp. added.

So, should I be afraid of my web browser clickjacking me off of my normally visited websites to some spyware?

Re:Has... (0)

Anonymous Coward | about 6 years ago | (#25321551)

Except it's not an iframe?

<div id="amo-install">
<a class="install-button" href="https://addons.mozilla.org/en-US/firefox/addon/722/#install-55211" target="_blank" rel="external nofollow"
title="Install NoScript, it's free"
  ><span class="download">install now!</span></a>
</div>

Re:Has... (1)

snl2587 (1177409) | about 6 years ago | (#25323063)

Nice job looking at the page source, but you've really got to look at the javascript.

Note this bit (this is only a part; see the source for the rest):
document.getElementById("amo-install").innerHTML +=
'<iframe id="amo-installer" width="1" height="1" style="visibility: hidden; filter: alpha(opacity=0)" scrolling="no"></iframe>';

Yep. Looks like this is exactly what I was talking about.

Re:Has... (-1, Troll)

Anonymous Coward | about 6 years ago | (#25324901)

And what kind of fucking retard are you that still has javascript enabled at all? Oh yeah... a fucking retard...

The iframe does nothing.

Re:Has... (1)

Koiu Lpoi (632570) | about 6 years ago | (#25322287)

Except it doesn't at all. Mouse over the link and you can clearly see in your status bar that it goes to Mozilla's site. Clickjacking my ass.

Re:Has... (1)

snl2587 (1177409) | about 6 years ago | (#25322999)

Pleaseread [hackademix.net] .

Re:Has... (1)

Koiu Lpoi (632570) | about 6 years ago | (#25324215)

Except that it doesn't come up with that box at all, and I'm running the latest version of NoScript. Looks like they fixed it.

Re:Has... (1)

snl2587 (1177409) | about 6 years ago | (#25324407)

No, the noscript site is on your whitelist by default (along with googlesyndication.com so the developer can collect ad revenue off his site). The demo on his blog was an example of what would happen if you removed noscript.net from your whitelist and went to his site with the blocker enabled.

Re:Has... (2, Informative)

Mashiki (184564) | about 6 years ago | (#25320881)

Anyone actually seen a POC of clickjacking? I know I haven't...

Yes. I've run across it on GCW, MSNBC and Wowhead through 3rdparty advertisers. It's already in the wild, the only thing that stopped it was noscript.

Re:Has... (1)

plover (150551) | about 6 years ago | (#25321055)

Well, there's a POC linked in TFA. I tried it. It looked like it was going to work but NoScript warned me about it. Pretty cool.

NoScript is my friend.

Re:Has... (1)

Ortega-Starfire (930563) | about 6 years ago | (#25321057)

Click the proof-of-concept link in the article summary.

"Fixes" released? (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#25320689)

So, ACORN is now talking about how they're fixing this election for Obama?

Re:"Fixes" released? (0)

Anonymous Coward | about 6 years ago | (#25320843)

It seems to me that ACORN just hired a bunch of low lifes who made a lot of fraudulent voter registration cards to make it look like they were doing work. It also seems like a set up to me. If election fraud does occur it'll be nice to have a patsy to blame it on.

The real way this election will be rigged is by the electronic voting machines, especially the ones that tabulate the vote at a central location and have no paper trail. It is even easy to manipulate the scantron election results.

This ACORN business is misdirection.

Re:"Fixes" released? (0)

Anonymous Coward | about 6 years ago | (#25327035)

At least ACORN isn't paying off it's goons in crack this election. Well, we haven't caught them doing it this time anyways. But ACORN has a long track record of fraud. Not much new there.

Original fix (2, Funny)

MaxwellEdison (1368785) | about 6 years ago | (#25320747)

I've solved this problem by removing my mouse from the computer. Now I never click anything malicious! Or anything at all... Its all wonderfully frustrating.

Re:Original fix (0)

Anonymous Coward | about 6 years ago | (#25320965)

tab tab tab tab tab tab SHIT! shift+tab enter

Re:Original fix (0)

Anonymous Coward | about 6 years ago | (#25321171)

lmao I guess eventually then you'll remove everything but the power cord and just stare at that all day to be totally safe. haha

This stuff is why... (0, Offtopic)

DigitalSorceress (156609) | about 6 years ago | (#25320755)

This stuff is why I use NoScript and haven't even installed the Flash plugin addon to Firefox. If I REALLY want to view something in flash and I trust the content provider, I'll fire up IETab.

Not perfect, but a far sight safer than Joe Q. User.

Re:This stuff is why... (2, Interesting)

plover (150551) | about 6 years ago | (#25321085)

I have the Flash plugin, but I also run FlashBlock [mozdev.org] . It's awesome. No crappy flashy anything unless I actually want it, and then it's only a few mouseclicks away. That plus NoScript [noscript.net] meant it took me about half a dozen clicks before I had both the permission and the ability to run the clickjacking demo. I feel pretty safe with Firefox.

Re:This stuff is why... (1)

id (11164) | about 6 years ago | (#25322671)

That would be great if flashblock itself wasn't susceptible to clickjacking...

Other methods that work (0)

Anonymous Coward | about 6 years ago | (#25336365)

"That would be great if flashblock itself wasn't susceptible to clickjacking." - by id (11164) on Thursday October 09, @08:15PM (#25322671) Homepage

Which is a reason why I had suggested other methods vs. the possibility you noted, here on this website a couple weeks back when this surfaced:

Alarm Raised For "Clickjacking" Browser Exploit:

http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835 [slashdot.org]

& that'll do the job also.

APK

P.S.=> This is why I've been warning folks about the faulty DOM (why javascript's risky really, mostly) for years now, & more recently in a security guide I wrote that states that basic protective method (i.e.-> "If you don't go into the scripting/iframes/plugins kitchen, you can't get burned"), in the news link URL above...&, it just works - simple, effective, & even allows gains in page rendering speeds as a bonus. Less risk as well, IF a plugin is faulty vs. a certain style of attack also!

That is, IF you can "obey some rules online/use some constraints" etc. et al ...

After all - Nearly all the attacks today come from some form of abuse of javascript/iframes/plugins for webbrowsers the past 3-4 yrs. now it seems, & just going to SECUNIA.COM &/or SECURITYFOCUS.COM can show anybody this much... & to myself @ least? This makes utilizing javascript/iframes/plugins, wholesale online on every site you visit... well, risky!

(imo & this type of news this article denotes, really only seconds my approach as an effective defense method, for me (& I only use javascript/activex/plugins/iframes on sites that DEMAND I do so, for FULL functionality, minimizing the risk, & as a bonus, you also process webpages faster by not using scripting & plugins too))... apk

Re:This stuff is why... (1)

thenewguy001 (1290738) | about 6 years ago | (#25321095)

Why not just use flashblock for firefox instead of firing up IE? You can enable/disable individual flash objects on the fly with flashblock.

In IE you have to let everything load, which is less secure. If the page is full of flash adverts it'll also consume more CPU cycles.

Help (4, Funny)

conner_bw (120497) | about 6 years ago | (#25320757)

Dear internet, i'm trying to give this article a "thumbs up" but now my browser is filming me nude? This isn't what I had in mind when I signed up for web 2.0.

Re:Help (1)

Loopy (41728) | about 6 years ago | (#25321261)

It's a .0 release. Haven't you learned anything from all the linux threads here?

Re:Help (0)

Anonymous Coward | about 6 years ago | (#25321553)

sux0r 2.0 - it sux0rs up all the web [sux0r.org]

Mildly intrigued by your signature I decided to click on it:

In many a drunken rant alone in front of a terminal, I dropped buzzwords like "distributed blogging", "content refactoring" and "harnessing the power of selfishness" which quite frankly sounds a lot like me talking out of my ass.

Your mother must be so proud

Re:Help (1)

conner_bw (120497) | about 6 years ago | (#25322221)

Your mother must be so proud

Yes, she is. Some people aren't prudes and understand humor when they see it.

Of course, me being nude on Slashdot not offending you in the first place kind of makes me question your understanding of reality.

Help! I'm trapped in a chinese nudist camp. (0)

Anonymous Coward | about 6 years ago | (#25322439)

Years of Goatse abuse has rendered most of slashdot blind, and sterile.

Oh great... (1)

davidbrit2 (775091) | about 6 years ago | (#25320815)

Like I need yet another NoScript update this week.

Re:Oh great... (1)

Ant P. (974313) | about 6 years ago | (#25333907)

Normally I wouldn't mind being told to update every 24 hours, but the way NoScript does it is completely fucking retarded.
What's the use of Firefox having a "show more information" button in the addon manager when all it displays is an URL to an ad-filled page with a 2 line changelog? And to rub it in, the info box isn't a real textarea so you can't just copy and paste the link.

Re:Oh great... (0)

Anonymous Coward | about 6 years ago | (#25336201)

You don't HAVE to update to (or, even USE) NoScript @ all really, as an alternate method of protecting yourself (which is pretty good in many ways)... Opera is a browser that comes with a native feature for this via its menus in TOOLS, or rightclick on page SITE PREFENCES options popup menu.

Alternately? You can just run w/ IFrames, JavaScript, & Plugins disabled (Adobe Flash, specifically (which I was right about in it being the faulty app involved here also)) ->

Alarm Raised For "Clickjacking" Browser Exploit:

http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835 [slashdot.org]

(2++ or so weeks ago when this surfaced as news here)

& that'll do the job also.

APK

P.S.=> This is why I've been warning folks about the faulty DOM (why javascript's risky really, mostly) for years now, & more recently in a security guide I wrote that states that basic protective method (i.e.-> "If you don't go into the scripting/iframes/plugins kitchen, you can't get burned"), in the news link URL above, which was from this site from 2-3 weeks back, regarding this "clickjacking" stuff...

&, it just works - simple, effective, & even allows gains in page rendering speeds as a bonus.

That is, IF you can "obey some rules online/use some constraints" etc. et al ...

After all - Nearly all the attacks today come from some form of abuse of javascript/iframes/plugins for webbrowsers the past 3-4 yrs. now it seems, & just going to SECUNIA.COM &/or SECURITYFOCUS.COM can show anybody this much... & to myself @ least? This makes utilizing javascript/iframes/plugins, wholesale online on every site you visit... well, risky!

(imo & this type of news this article denotes, really only seconds my approach as an effective defense method, for me (& I only use javascript/activex/plugins/iframes on sites that DEMAND I do so, for FULL functionality, minimizing the risk, & as a bonus, you also process webpages faster by not using scripting & plugins too))... apk

Why does flash (1)

British (51765) | about 6 years ago | (#25320849)

..even have a facility for the webcam and mic anyways?

Re:Why does flash (1, Informative)

Anonymous Coward | about 6 years ago | (#25320915)

People use it here for American Sign Language work. They sign into the webpage, it turns on the cam, they sign it up, and it's stored on the server for their instructor or collaborator to view/grade/whatever.

Re:Why does flash (1)

marxmarv (30295) | about 6 years ago | (#25320941)

Because all technological advancement is driven by adult media?

Re:Why does flash (1)

lysergic.acid (845423) | about 6 years ago | (#25322365)

my friend used it in his interactive media class to simulate the vision of dogs. you run the flash application and it filters the cam feed to only display the visual spectrum dogs are capable of seeing.

i don't think there's anything inherently wrong with giving flash access to webcam/mic. it creates opportunities for a lot of useful web apps. however, i do think that flash browser plugins need to warn users and have them confirm that they actually want to turn on their webcam/mic.

Simple solution: (0)

Anonymous Coward | about 6 years ago | (#25320885)

Turn off JavaScript, Java, Flash, and other plugins on the browser you use for web searches and general goofing around on the web. Use a different browser for trusted sites for serious uses, i.e. for banking.

Re:Simple solution: (2, Funny)

plover (150551) | about 6 years ago | (#25321113)

Let me get this straight: You recommend:

i.e. for banking.

and you expect us to trust you with security advice? Please!

Re:Simple solution: (1)

JCSoRocks (1142053) | about 6 years ago | (#25328159)

Re: IE for banking - I know some banking sites weren't compatible with FF for a loooong time. I'm still not sure if BofA's site is. It can be frustrating.

Re:Simple solution: (1)

FLEB (312391) | about 6 years ago | (#25323599)

While the "different browser" idea would work, turning off JS would be marginal to harmful. This is a straight HTML/CSS exploit, and, actually, turning off JS could stop preventive framebusting scripts from running.

GUESS AGAIN on javascript (& more)... apk (0)

Anonymous Coward | about 6 years ago | (#25347529)

http://www.securityfocus.com/news/11534/2 [securityfocus.com]

SALIENT QUOTE:

----

"JavaScript increases the effectiveness of this attacks hugely, because it ensures that user will click our target no matter where he points -- that is, we can move the target around to stay always under the mouse pointer"

----

Also, just taking a look around @ sites like securityfocus.com &/or secunia.com will show you, easily mind you, that the majority of attacks out there today online? Javascript/Iframes/plugins driven... & for the past 3-4 yrs. or more, no less.

Turning off Javascript/IFrames/Plugins keeps you safe(r) vs. THIS attack, & countless others (that aren't only on 'bad site pages' but, even in adbanners the past few years now as well).

APK

P.S.=> I had it right here, 2 weeks ago, in regards to the EXACT PLUGIN (Adobe Flash) USED, first off... when news of this FIRST surfaced:

Alarm Raised For "Clickjacking" Browser Exploit:

http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835 [slashdot.org]

& Secondly?

Well - for more than a year now (& for years beforehand no less), I had been advising folks on 1 of the link URL's I posted there in that URL above (over 27 computer tech forums worldwide) to turn off javascript/iframes/plugins on sites you do NOT "need" to have them running on, for FULL functionality - this way, you stay safe(r) by far...

(Leave javascript on, for instance, for sites that require data access on say, online banking &/or shopping-commerce websites - BUT, THESE ONLY (to minimize the attack surface upon YOUR system, basically))...

That way, you're safe, regardless of the browser used (OR, even the OS used, since Javascript's DOM is the same & it is present even on *NIX variants - the only reason Windows is SO often targetted is twofold, imo - First, it has the majority of users (mostly less technically inclined than say, *NIX heads are), & Secondly, it presents the largest target to attack, thus, the highest "ROI" really)... apk

Re:Simple solution: (1)

metamatic (202216) | about 6 years ago | (#25327735)

See, this is why I think NoScript and CookieSafe (CS Lite) should be standard functionality in Firefox. In fact, they already have the functionality, they just need the friendly UI so normal people can actually use it.

But Mozilla won't do it, because it would piss off the advertisers who use JavaScript and cookies to surreptitiously track people. They might be an open source project, but they don't have the users' best interests at heart.

Re:Simple solution: (0)

Anonymous Coward | about 6 years ago | (#25347199)

"Turn off JavaScript, Java, Flash, and other plugins on the browser you use for web searches and general goofing around on the web." - by Anonymous Coward on Thursday October 09, @05:33PM (#25320885)

That's not going to stop you from being infected. You're only changing the browser used to infect yourself with what you suggest! OS used? Doesn't matter either... the DOM is the same, & since javascript/iframes/plugins run on Linux & other OS'? They're no safer, period. They're less exploited, because from the POV of a botmaster, you go after the MOST USED OS THERE IS, & that is Windows (for the greatest 'surface area to attack', that also generally overall has less "technically inclined users", where *NIX generally has "pure techno geeks", mostly).

"Use a different browser for trusted sites for serious uses" - by Anonymous Coward on Thursday October 09, @05:33PM (#25320885)

Again, same deal as my previous reply to what I quoted from you - you're only changing the browser that infects you via this attack (&, NONE OF THEM ARE SAFE vs. it, unless you take some measures yourself, via what I wrote below here, weeks ago, when this first surface (& I was correct on no less)):

----

Alarm Raised For "Clickjacking" Browser Exploit:

http://it.slashdot.org/comments.pl?sid=976325&threshold=-1&commentsort=0&mode=thread&no_d2=1&cid=25158835 [slashdot.org]

----

I "got lucky", there, & had guessed EXACTLY what plugin was affected back then (ADOBE FLASH), & for about a year now, on various technical forums online (27 in total) I suggested TURNING OFF JAVASCRIPT/IFRAMES/PLUGINS usage for users, to stay safe online vs. these types of attacks, & yes, MANY others also!

(I.E.-> DON'T USE JAVASCRIPT/PLUGINS/IFRAMES on "every site under the sun you go to"(& instead ONLY LEAVE IT ACTIVE FOR SITES THAT DEMAND THEIR USAGE (such as online banking &/or shopping sites often require for data access)... all other sites? Heck, turn it off... be safe(r) by far & FASTER AS WELL (due to not processing adbanners &/or webpage script tags code either))

APK

P.S.=> I've been telling folks to 'crank those off' (plugins &/or IFrames, as well as javascript (if you do NOT absolutely NEED IT, for proper page functionality (such as on online banking &/or shopping sites))), here, for more than a year now (see points after #12th posting in regards to this statement of mine here & there below also):

HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, plus, make it "fun-to-do", via CIS Tool Guidance (& beyond):

http://www.tcmagazine.com/forums/index.php?s=73ccc6e6bcaa3f449c71fc76a0e40212&showtopic=2662 [tcmagazine.com]

AND, as you can see? IT JUST WORKS (even vs. the "latest/greatest" security threats/hacks/vulnerabilities? Common-sense usually does work)... apk

The jokes on you, hackers! (2, Funny)

Gizzmonic (412910) | about 6 years ago | (#25320929)

Not only am I an exhibitionist, I'm also unbelievably ugly! You won't be 'clickjacking' to my warped, drooling countenance!

Re:The jokes on you, hackers! (1, Funny)

Anonymous Coward | about 6 years ago | (#25320993)

Goddamnit, mom! I thought I told you not to post on the same websites as me? And don't think I haven't seen you on adultfriendfinder either.

Re:The jokes on you, hackers! (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#25321077)

I thought I told you not to post on the same websites as me?

How is that a question!

Re:The jokes on you, hackers! (1)

kayditty (641006) | about 6 years ago | (#25336169)

it isn't. it's a literary device.

I can fix this! (0)

Anonymous Coward | about 6 years ago | (#25320953)

I'll just fire up my webcam, stand in front of it naked and commence clicking on said sites.

Surely, after that, once (if) the hackers regain their sight, they will surely be afraid to ever try that again

I am confused (1)

RockMFR (1022315) | about 6 years ago | (#25321083)

I was under the impression that Flash runs with full privileges and can basically do anything if you have the plugin installed. Is this not the case?

Re:I am confused (1)

argent (18001) | about 6 years ago | (#25322767)

The plugin runs with full privileges.

The scripts (in Actionscript, a version of ECMAscript (nee Javascript)) run in a sandbox.

NoScript (4, Interesting)

HTH NE1 (675604) | about 6 years ago | (#25321179)

Now if only NoScript, when I choose (for example) "Temporarily allow doubleclick.net", granted that allowance only on the page I'm viewing and its descendants and not in every open tab in every window to every site their scripts are on!

Re:NoScript (3, Informative)

kesuki (321456) | about 6 years ago | (#25322329)

apparently, feature suggestions should be posted to this forum http://forums.mozillazine.org/viewtopic.php?t=826005 [mozillazine.org]

'temporarily allow site in tab' and 'temporarily allow all in tab' are features i'd suggest, but i'm too lazy to sign up for a forum and post there.

being specific to a single tab would be nice, it might add to the size of the engine, but again it would make annoying broken ad supported sites like pogo that require 26 separate sites to be 'allow' to properly load a webgame... no, i don't play pogo, but i disabled noscript from one of my parents computers so she could use pogo. I checked to see if i could just add to the white list, but that basically defeated the point of a white list, so it was disabled.

on windows it's no big deal, she uses ie, and i use firefox, but on their linux system, which she rarely uses, except when there are issues with the other computer... well, it has to stay set so she can play pogo on it if needed.

Re:NoScript (0)

Anonymous Coward | about 6 years ago | (#25325411)

The latest versions have "Allow all this page" and "Temporarily allow all this page" options, may be it suits your requirement

Re:NoScript (1)

kesuki (321456) | about 6 years ago | (#25331109)

they work globally across all tabs though. what if i want doubleclick okayed on one tab, but not another? it's one thing to 'have to' allow one one website in one tab to play a free online game, and quite another to make every news site i'm surfing suddenly show ads, because of one site.

Are they saying this end-of-the-internet threat... (2, Insightful)

Ungrounded Lightning (62228) | about 6 years ago | (#25321787)

Are they really saying this newly-uncovered, ultra-hyped, horrible, end-of-the-internet, cross-browser, gotta-fix-the-world-but-it's-SO-hard, threat... ... was INVISIBLE BUTTONS?

Re:Are they saying this end-of-the-internet threat (3, Informative)

mr_mischief (456295) | about 6 years ago | (#25322119)

Any form of invisible link, invisible button, link or button in an iframe, getURL() call in Flash, or JavaScript handler for any normally non-clickable item that makes you go somewhere, yeah.

Re:Are they saying this end-of-the-internet threat (1)

JCSoRocks (1142053) | about 6 years ago | (#25328193)

Yeah, which is lame because I've been using those for years. They're actually really handy in certain situations. ...And that's for legitimate web app work, not spamtastic garbage. In fact if the changes they make are sweeping enough it may break some of my old code... yay.

Flash and microphones and webcams, oh my. (2, Interesting)

argent (18001) | about 6 years ago | (#25321835)

It's always kind of creeped me out that Flash even gives applets access to the microphone and webcam, and I never enable those capabilities in the program.

Yes, I understand the point of it, I just think it's creepy.

Re:Flash and microphones and webcams, oh my. (3, Funny)

cerberusss (660701) | about 6 years ago | (#25324617)

It's always kind of creeped me out that Flash even gives applets access to the microphone

Definitely creepy. One time I visited a page with a Flash-based advertisement from (apparently) a French company. When my mouse cursor inadvertently moved over the Flash applet, some kind of contact was made with the company. This French guy was screaming into his microphone "'ello?? 'ELLOO??". And he obviously saw through my cam because he continued: "Bonjour, sire! Whas arr yous eatingue?" just when I was shoving a sandwhich in my pie-hole.

How is this new? (0)

Anonymous Coward | about 6 years ago | (#25323419)

So why is this "exploit" so "new and dangerous"?

I mean, does not every damn news site (with the exception of the great Slashdot) have that annoying "first time you click, we pop up an ad" thing going on? Doesn't matter if you click on whitespace, text (like to highlight it), or whatever.. first click = ad.

That was already 'clicking causing an undesired link'. This is hardly new. Boo on the finders of this 'major bug', spammers and marketing majors beat you to it by at least a year, and that's embarrassing.

Re:How is this new? (2, Insightful)

FLEB (312391) | about 6 years ago | (#25323579)

This attack makes it possible for third parties to trick you into performing actions on third-party sites, by overlaying them invisibly on something you think you want to click. An attacker could overlay a seemingly innocuous game, for instance, with an administrative panel from a common website. The settings panel would be invisible (zero or low alpha), but still would receive mouse clicks. When the "game" asks you to click two seemingly random points, you're actually clicking the "Delete my account" checkbox and "Continue" button, for instance.

Off the top of my head, it's not a world-ender, just another problem like XSS or XSRF to be vigilant against. Possible solutions (from the top of my head) would be for sensitive form pages to have a framebusting script (although this doesn't help if JS is off), and require a password or CAPTCHA (a password could be phished around, but a CAPTCHA could work, since the fake site still has no actual way to read or write the legit site).

Re:How is this new? (2, Insightful)

FLEB (312391) | about 6 years ago | (#25323613)

When the "game" asks you to click two seemingly random points,

s/random/arbitrary/

Re:How is this new? (1)

lorenzo.boccaccia (1263310) | about 6 years ago | (#25325481)

begin pragma grammar nazy

insightful? more an epic fail. you know, adjectives, those thing that give more meaning to a word: seemingly random is not random, and seemingly arbitrary is not the correct substitution in that context

Restricting iframes (1)

StoatBringer (552938) | about 6 years ago | (#25325537)

In the case of iframes abuse, wouldn't it make sense for browsers to refuse to allow iframes to show pages which include some sort of "no_remote_display" tag? So if your page has a form which could potentially be abused, add the tag and browsers which recognise it will only show the page in it's entirety, and not as part of another page or from another domain?

I realise that this may well be far too simplistic and people will probably point out a dozen reasons why it won't work and would break all sorts of things. :)

Re:Restricting iframes (0)

Anonymous Coward | about 6 years ago | (#25337063)

"In the case of iframes abuse, wouldn't it make sense for browsers to refuse to allow iframes to show pages which include some sort of "no_remote_display" tag? " - by StoatBringer (552938) on Friday October 10, @05:11AM (#25325537)

Opera has this, built in... & has, for years now, mind you + selectively, on a user-driven, site-by-site basis.

(A native method that's flexible, powerful, & easy to do, & sounds like what it is you are after, imo (based on your description (& my interpretation of it))... easily, via Opera's native security featureset!)

APK

NoScript Mandatory (0)

Anonymous Coward | about 6 years ago | (#25326499)

I can't imagine browsing without NoScript. Firefox has no competition on the computers I own and those I manage not because it's good or better than the others, but because NoScript runs on it.

With noscript installed... (1)

Mopar93 (1046032) | about 6 years ago | (#25327193)

...Slashdot pages come up much faster now!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?