[OT] "Clickjacking"

Richard Gaskin ambassador at fourthworld.com
Thu Oct 9 12:57:13 EDT 2008

Maybe this is only semi-OT, since RunRev has announced plans to deliver 
a browser plugin:

Web Surfers Face Dangerous New Threat: 'Clickjacking'

Internet and Web browser security experts are sounding the alarm about a 
new type of malicious attack called "clickjacking," a technique that can 
be used to dupe Web surfers into revealing confidential information 
while clicking on seemingly innocuous Web pages. Among other things, a 
clickjacking attack can be used to take control of a computer's Webcam 
and microphone without the knowledge of the user.

Clickjacking has been identified as a vulnerability for the Adobe Flash 
player, as well as for every major browser, including Firefox, Internet 
Explorer, Opera, Safari and even the newly released Google Chrome.

"It is a very serious problem," said Giorgio Maone, the author of a 
widely praised free Firefox extension called NoScript, which blocks 
potentially malicious scripts from running in the Firefox browser.

"Clickjacking is a very simple attack to build, and now that the details 
are out, any script kid can try it successfully," Maone warned. "There's 
no estimate to the number of trap sites, and it's unlikely that we will 
see any credible report about the number of sites using this technique, 
because there are literally infinite ways to implement such an attack, 
therefore no signature-based scanning can detect it automatically."
Maone agreed. "This problem comes from features which are integral to 
the modern Web as we know it," he said, "and especially from the ability 
of Web pages to embed arbitrary content from different sites, or to host 
little applications (applets) through plug-ins like Adobe Flash, Java or 
Microsoft Silverlight."

Maone predicted that a general browser fix won't be developed any time 
soon, since the real solution lies in developing a general consensus 
about changing existing Web standards in the various Internet 
standardization groups.


Adobe's remedy is available here:

There are several implication with this:

1. People will become more wary of plugins

    The risks of running compiled code within a browser will at
    last be given appropriate attention.  When running compiled
    code, even as a plugin, the code can make use of any API
    the OS provides, and there's no way to know what it's
    doing.  This is not new, but most lay people have been lulled
    into a false sense of security under the misconception
    that if it runs in a browser it's somehow restricted to the
    browser's sandbox.  This news corrects that misconception.

2. Plugin vendors will have to work harder to gain confidence

    Deploying new web plugins has always been difficult in a world
    where Flash is pre-installed, but these perceptual challenges
    will increase given #1 above, requiring extra effort from the
    vendor to convince an audience of the soundness of a plugin.
    With this exploit occurring in the most popular plugin of all,
    we can expect the perceptual challenges to effect new (in the
    minds of users and IT staffers, read "untested") plugins
    even more strongly.

3. Plugin APIs may become more onerous, and therefore expensive

    This is pure conjecture on my part, but to the degree that
    #1 has any traction we may find browser vendors responding
    by attempting to provide safeguards within their APIs to try
    to minimize such risks.   It's hard to say what they might
    come up with, but it seems unlikely they'll continue to keep
    the plugin API as a sort of open-ended "wild west" of
    possibilities, perhaps using Java's restrictions as a model.
    Such restrictions, however necessary to regain user trust, may
    limit capabilities and/or increase the development challenges
    of making plugins.

I don't mean to rain on the plugin parade, but I do feel it's useful to 
maintain a sober awareness of how the market may respond to this exposure.

Those anticipating plugin deployment within their own organizations will 
likely see little difference in its acceptability.  But those planning 
public sites driven by a plugin for a more general audience may do well 
to be prepared to address security concerns.

  Richard Gaskin
  Managing Editor, revJournal
  Rev tips, tutorials and more: http://www.revJournal.com

More information about the Use-livecode mailing list