Monday, September 29, 2008

Clickjacking: A New Kind of Digifraud We Should All Be Worried About

Info on clickjacking is deliberately sketchy but as I understand it, the idea behind clickjacking is that a hacker would offer a sort of invisible button that would take you to the destination of their choice when you click. You THINK you are clicking on something you see on the screen, but the click actually takes you somewhere else.

It places a tag below your mouse, wherever you point, so that when you click you go to the destination of their choice.

From http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=16&articleId=9115700&intsrc=hm_topic Computer World article:

Hansen's research partner, Jeremiah Grossman, chief technology officer at WhiteHat Security Inc., explained how attackers could exploit clickjacking vulnerabilities.

"Think of any button on any Web site, internal or external, that you can get to appear between the browser walls," Grossman said in an e-mail on Friday. "Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to."

Hansen seconded Grossman's example with one of his own. "Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. [The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack."

Hackers would not need to compromise a legitimate site in order to conduct a clickjacking attack underneath it, Hansen added.

Those that discovered the vulnerability are voluntarily staying mum about the details until protections can be created. Until then, we can only hope that what we see is actually what we clicked.

Thanks for reading, and don't forget to write.

No comments:

Post a Comment

Because people have been abusing the comment platform to place phony links to deceptive sites, I am now moderating all comments. If your comment is legit and contains a relevant link, it will be published.