"Clickjacking" Browser Exploit

SinisterSam · #1 September 25th, 2008, 11:27 PM

I didn't see this posted anywhere here [checked via a search] so I posted it.

"Clickjacking" Browser Exploit

Quote:

Researchers are beginning to raise an alarm for what looks like a scary new browser exploit/threat affecting all the major desktop platforms — Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

http://blogs.zdnet.com/security/?p=1972

Quote:

In response to my story earlier on the cross-browser Clickjacking exploit/threat, I received the following e-mail from Giorgio Maone, creator of the popular Firefox NoScript plug-in:

Hi Ryan,
I’ve seen a lot of speculation and confusion in the comments to your Clickjacking article about NoScript not being able to mitigate [the issue].
I had access to detailed information about how this attack works and I can tell you the following:

It’s really scary
NoScript in its default configuration can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous) — see this comment by Jeremiah Grossman himself.
For 100% protection by NoScript, you need to check the “Plugins|Forbid <IFRAME>” option.
Cheers,
Giorgio

http://blogs.zdnet.com/security/?p=1973

JRViejo · #2 September 25th, 2008, 11:48 PM

SinisterSam, Wilders members were all over this subject back on August 19th: Adobe Flash ads launching clipboard hijack attack

As Giorgio Maone pointed out and confirmed by Wilders members back then, NoScript in FF defeats clickjacking. However, it's great to read that 100% protection is achieved by checking the Forbid <IFRAME> option and it's something that everyone should do right away, if running FF with NoScript.

SinisterSam · #3 September 25th, 2008, 11:55 PM

Not exactly the same exploit.

JRViejo · #4 September 26th, 2008, 12:40 AM

The reason why I mentioned the former discussion is that halfway down the page on http://blogs.zdnet.com/security/?p=1972 it says: [SEE: Adobe Flash ads launching clipboard hijack attack] and the link takes you to the same article that was discussed on August 19th by Wilders members.

The above ZDNet article also references an Adobe PSRIT advisory talking about "The presentation centered around an issue that affects multiple browsers and websites, and, as it turns out, one of our products."

The exploit requires Dynamic HTML (DHTML) and besides JavaScript, Flash is commonly used to build interactive Web sites. This sentence in the above ZDNet article "Each click by the user equals a clickjacking click so something like a flash game is perfect bait." leads me to believe that they/we are talking about the same thing via a Flash conduit.

SinisterSam · #5 September 26th, 2008, 12:47 PM

A little more insight - http://lists.whatwg.org/pipermail/wh...er/016284.html

Bensec · #6 September 27th, 2008, 08:55 AM

I think Proper expression in Privoxy will handle it. But I will not set the expression in my filters. I dont care clicking on some unknown links. downloads are impossible, scripts are disabled, anything else to be afraid of?

JRViejo · #7 September 27th, 2008, 04:11 PM

Quote:

Originally Posted by Bensec

anything else to be afraid of?

Take a look at this article: Not Clickjacking (Almost Certainly). If you can see the IFRAME (below the main text) which injects a page from planb-security.net, your Privoxy is not blocking IFRAMEs. Try it and report back.

With Firefox 3.0.3 and NoScript 1.8.1.3, I have to allow breakingpointsystem.com and disable the Forbid <IFRAME> Option, in order to see the redirect and that's why NoScript protects against this browser exploit.

Rmus · #8 September 28th, 2008, 01:51 AM

Don't most browsers today provide for disabling Frames and Scripting?
I just tried with Opera and the exploit does not work.

----

cheater87 · #9 September 28th, 2008, 08:59 AM

Ok have that option enabled now in Noscript.

JRViejo · #10 September 28th, 2008, 02:27 PM

Quote:

Originally Posted by Rmus

Don't most browsers today provide for disabling Frames and Scripting?

Here's the rub. If I open Internet Explorer, select Tools > Internet Options > click the Security tab > choose the desired zone (Internet, Local intranet, Trusted sites, or Restricted Sites) and click Custom Level > scroll down to Launching programs and files in an IFRAME > select Disable to prevent iframes altogether, and repeat the same for each of the desired security zones, then click OK, my IE6 still shows the IFRAME in the article I posted!

EDIT: The article's Web site placed in the Restricted Zone in IE6 does not show the IFRAME but the IFrame does show in Internet & Trusted zones with IFrames disabled.

Can other Wilders members who have IE6, IE7 and IE8, try the same procedure as described above, then navigate to the link I posted and report back their results?

If FF and Opera defeat the exploit but IE does not, that's further proof to stay away from IE, unless absolutely necessary!

Rmus · #11 September 28th, 2008, 07:23 PM

Quote:

Originally Posted by JRViejo

EDIT: The article's Web site placed in the Restricted Zone in IE6 does not show the IFRAME but the IFrame does show in Internet & Trusted zones with IFrames disabled.

Confirmed.

---

JRViejo · #12 September 28th, 2008, 10:07 PM

Rmus, thank you. So, even if IFRAMES is disabled in both Internet & Trusted zones, it still allows the exploit to go through. That seems to be the problem with at least IE6. Hope someone else can test in IE7 and IE8.

HURST · #13 September 29th, 2008, 01:43 PM

Another source:

http://arstechnica.com/news.ars/post...s-unknown.html

Magnus Mischel · #14 September 30th, 2008, 01:13 PM

Here are my thoughts on the issue: http://blog.misec.net/2008/09/30/cli...curity-threat/

Personally, I think this is way overstated. A simple solution to this whole problem would be to simply not allow IFRAME content to use stored cookies for authentication. That change means that no one would be able to embed MySpace/Facebook/GMail in an IFRAME and exploit this, because you wouldn't be logged in to the site in question.

JRViejo · #15 September 30th, 2008, 01:57 PM

Magnus, I agree with you that this is much ado about nothing at the moment and that no Webmaster should ever be caught using any type of Frames in their designs, however, in my limited test with IE6, disabling IFRAMES (as I explained in Post #10) does not stop an IFRAME from showing, unless the site is placed in the Restricted Zone.

I have read about IE7 having a Developer Toolbar that can be tweaked like NoScript, but because no one else has tested the link I posted to that benign Web site, I have to assume that IE is wide open to this "potential" exploit.

Since I use Firefox with NS, that exploit will never be a problem for me and one Opera user said it wasn't an issue for them either. Yet IE remains a question mark - like always? If you have IE7 or IE8, can you test and post back?

Magnus Mischel · #16 September 30th, 2008, 02:39 PM

I don't use IE at all nor would I advise anyone else to either, given Microsoft's security track record. I doubt that there would be a way to disable IFRAMEs in IE though - the program isn't really known to be the apex of user configurability.

JRViejo · #17 September 30th, 2008, 02:55 PM

Magnus, amen to that! Unfortunately, the latest market share stats of IE users is 71% (Chrome snatches share from IE) so a lot of people are going to be susceptible to this exploit, if it ever explodes. Thanks for your thoughts.

Dude111 · #18 October 1st, 2008, 12:58 AM

Just as i thought this is nothing........ (Only people that dont know what they are doing might be affected)

tlu · #19 October 1st, 2008, 10:20 AM

Quote:

Originally Posted by Rmus

Don't most browsers today provide for disabling Frames and Scripting?
I just tried with Opera and the exploit does not work.

----

http://hackademix.net/2008/09/29/cli...-chrome-opera/

JRViejo · #20 October 1st, 2008, 12:22 PM

tlu, thank you for the link. This paragraph confirmed my suspicions about IE! Looks like Safari & Chrome are in the same boat.

Quote:

Bad news: there’s no apparent way to disable IFRAMEs in IE: you can just disable “Launching programs and files in IFRAME”, which is definitely not enough to prevent clickjacking.

So, to recap: MSIE can’t be secured 100% against clickjacking, and the protection you can get comes with a big usability cost.

Firefox with NS, and Opera are the browsers of choice to combat this exploit.

Fly · #21 October 2nd, 2008, 04:01 PM

There seems to be an option to set IEFRAME(S) to block or prompt in IE 7.

Would that be effective ?

JRViejo · #22 October 2nd, 2008, 04:53 PM

Fly, according to the article link that tlu provided, IE fails. Why don't you block IFRAMES and try the link on my post #7.

As I stated before: if you can see the IFRAME (below the main text) which injects a page from planb-security.net, your IE7 is not blocking IFRAMEs.

Dude111 · #23 October 3rd, 2008, 02:19 AM

Quote:

Originally Posted by Fly

There seems to be an option to set IEFRAME(S) to block or prompt in IE 7.

Yes the option is in IE6 also but it doesnt do anything as i have mine set to PROMPT and i didnt see anything on the test page above.. (Although it wasnt a file trying to run in the frame just a webpage loading)

AKAJohnDoe · #24 October 8th, 2008, 12:52 AM

BTW, if you would like to observe one of these, my own website apparently uses them. The main buttons on the initial page are blocked by NoScript.

tlu · #25 October 8th, 2008, 08:37 AM

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search