"Clickjacking" Browser Exploit

Discussion in 'other security issues & news' started by SinisterSam, Sep 25, 2008.

Thread Status:
Not open for further replies.
  1. SinisterSam

    SinisterSam Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    56
    Location:
    northern hemisphere
    I didn't see this posted anywhere here [checked via a search] so I posted it. :ninja:

    "Clickjacking" Browser Exploit


    http://blogs.zdnet.com/security/?p=1972
    http://blogs.zdnet.com/security/?p=1973
     
  2. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    SinisterSam, Wilders members were all over this subject back on August 19th: Adobe Flash ads launching clipboard hijack attack

    As Giorgio Maone pointed out and confirmed by Wilders members back then, NoScript in FF defeats clickjacking. However, it's great to read that 100% protection is achieved by checking the Forbid <IFRAME> option and it's something that everyone should do right away, if running FF with NoScript.
     
  3. SinisterSam

    SinisterSam Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    56
    Location:
    northern hemisphere
    Not exactly the same exploit. :ninja:
     
  4. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    The reason why I mentioned the former discussion is that halfway down the page on http://blogs.zdnet.com/security/?p=1972 it says: [SEE: Adobe Flash ads launching clipboard hijack attack] and the link takes you to the same article that was discussed on August 19th by Wilders members.

    The above ZDNet article also references an Adobe PSRIT advisory talking about "The presentation centered around an issue that affects multiple browsers and websites, and, as it turns out, one of our products."

    The exploit requires Dynamic HTML (DHTML) and besides JavaScript, Flash is commonly used to build interactive Web sites. This sentence in the above ZDNet article "Each click by the user equals a clickjacking click so something like a flash game is perfect bait." leads me to believe that they/we are talking about the same thing via a Flash conduit.
     
  5. SinisterSam

    SinisterSam Registered Member

    Joined:
    Jun 9, 2007
    Posts:
    56
    Location:
    northern hemisphere
  6. Bensec

    Bensec Registered Member

    Joined:
    Aug 4, 2008
    Posts:
    177
    Location:
    China Changsha
    I think Proper expression in Privoxy will handle it. But I will not set the expression in my filters. I dont care clicking on some unknown links. downloads are impossible, scripts are disabled, anything else to be afraid of?:blink:
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    Take a look at this article: Not Clickjacking (Almost Certainly). If you can see the IFRAME (below the main text) which injects a page from planb-security.net, your Privoxy is not blocking IFRAMEs. Try it and report back.

    With Firefox 3.0.3 and NoScript 1.8.1.3, I have to allow breakingpointsystem.com and disable the Forbid <IFRAME> Option, in order to see the redirect and that's why NoScript protects against this browser exploit.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Don't most browsers today provide for disabling Frames and Scripting?
    I just tried with Opera and the exploit does not work.

    ----
     
  9. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,124
    Location:
    Pennsylvania.
    Ok have that option enabled now in Noscript.
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    Here's the rub. If I open Internet Explorer, select Tools > Internet Options > click the Security tab > choose the desired zone (Internet, Local intranet, Trusted sites, or Restricted Sites) and click Custom Level > scroll down to Launching programs and files in an IFRAME > select Disable to prevent iframes altogether, and repeat the same for each of the desired security zones, then click OK, my IE6 still shows the IFRAME in the article I posted!

    EDIT: The article's Web site placed in the Restricted Zone in IE6 does not show the IFRAME but the IFrame does show in Internet & Trusted zones with IFrames disabled.

    Can other Wilders members who have IE6, IE7 and IE8, try the same procedure as described above, then navigate to the link I posted and report back their results?

    If FF and Opera defeat the exploit but IE does not, that's further proof to stay away from IE, unless absolutely necessary!
     
    Last edited: Sep 28, 2008
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Confirmed.

    ---
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    Rmus, thank you. So, even if IFRAMES is disabled in both Internet & Trusted zones, it still allows the exploit to go through. That seems to be the problem with at least IE6. Hope someone else can test in IE7 and IE8.
     
  13. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
  14. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Here are my thoughts on the issue: http://blog.misec.net/2008/09/30/clickjacking-the-new-browser-security-threat/

    Personally, I think this is way overstated. A simple solution to this whole problem would be to simply not allow IFRAME content to use stored cookies for authentication. That change means that no one would be able to embed MySpace/Facebook/GMail in an IFRAME and exploit this, because you wouldn't be logged in to the site in question.
     
  15. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    Magnus, I agree with you that this is much ado about nothing at the moment and that no Webmaster should ever be caught using any type of Frames in their designs, however, in my limited test with IE6, disabling IFRAMES (as I explained in Post #10) does not stop an IFRAME from showing, unless the site is placed in the Restricted Zone.

    I have read about IE7 having a Developer Toolbar that can be tweaked like NoScript, but because no one else has tested the link I posted to that benign Web site, I have to assume that IE is wide open to this "potential" exploit.

    Since I use Firefox with NS, that exploit will never be a problem for me and one Opera user said it wasn't an issue for them either. Yet IE remains a question mark - like always? If you have IE7 or IE8, can you test and post back?
     
  16. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    I don't use IE at all nor would I advise anyone else to either, given Microsoft's security track record. I doubt that there would be a way to disable IFRAMEs in IE though - the program isn't really known to be the apex of user configurability.
     
  17. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    Magnus, amen to that! Unfortunately, the latest market share stats of IE users is 71% (Chrome snatches share from IE) so a lot of people are going to be susceptible to this exploit, if it ever explodes. Thanks for your thoughts.
     
  18. Dude111

    Dude111 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    212
    Just as i thought this is nothing........ (Only people that dont know what they are doing might be affected)
     
  19. tlu

    tlu Guest

  20. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    tlu, thank you for the link. This paragraph confirmed my suspicions about IE! Looks like Safari & Chrome are in the same boat.
    Firefox with NS, and Opera are the browsers of choice to combat this exploit.
     
  21. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    There seems to be an option to set IEFRAME(S) to block or prompt in IE 7.

    Would that be effective ?
     
  22. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,946
    Location:
    U.S.A.
    Fly, according to the article link that tlu provided, IE fails. Why don't you block IFRAMES and try the link on my post #7.

    As I stated before: if you can see the IFRAME (below the main text) which injects a page from planb-security.net, your IE7 is not blocking IFRAMEs.
     
  23. Dude111

    Dude111 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    212
    Yes the option is in IE6 also but it doesnt do anything as i have mine set to PROMPT and i didnt see anything on the test page above.. (Although it wasnt a file trying to run in the frame just a webpage loading)
     
  24. AKAJohnDoe

    AKAJohnDoe Registered Member

    Joined:
    Sep 26, 2007
    Posts:
    989
    Location:
    127.0.0.1
    BTW, if you would like to observe one of these, my own website apparently uses them. The main buttons on the initial page are blocked by NoScript.
     
  25. tlu

    tlu Guest

Loading...
Thread Status:
Not open for further replies.