Web Surfers Face Dangerous New Threat: ‘Clickjacking’

Internet and Web browser shield experts are sounding the alarm about a new type of malicious attack called “clickjacking,” a technique that can be used to dupe Web surfers into revealing confidential knowledge while clicking on seemingly innocuous Web pages. Among other things, a clickjacking attack can be used to take control of a computer’s Webcam and microphone without the knowledge of the user.

Clickjacking has been identified as a vulnerability for the Adobe Flash player, as well as for every major browser, including Firefox, Web Explorer, Opera, Safari and even the newly released Google Chrome.

“It is a very serious problem,” said Giorgio Maone, the author of a widely praised free Firefox extension called NoScript, which blocks potentially malicious scripts from running in the Firefox browser.

“Clickjacking is a very simple attack to build, and now that the details are out, any script kid can try it successfully,” Maone warned. “There’s no estimate to the number of

trap sites, and it’s unlikely that we will see any credible report about the number of sites using that technique, considering there are literally infinite ways to implement such an attack, therefore no signature-based scanning can detect it automatically.”

Unauthorized Access to data

The growing severity of the clickjacking problem was identified by Robert Hansen, CEO of SecTheory, and Jeremiah Grossman, CTO of WhiteHat shield. The two were scheduled to speak publicly about their discovery last month at the Open Web Application shield Project NYC AppSec conference in New York, but postponed their talk in order to give Adobe and browser companies a chance to come up with a solution.

Reacting quickly to the announcement, Adobe released a defense advisory Tuesday, describing the threat as “critical” and instructing users on how to turn off Flash access to cameras and microphones.

“We have just posted a shield Advisory for Flash…

[Source] dhiram