iEntry 10th Anniversary RSS Archive

IT Management Begins With Security
SecurityProNews > Insider Reports > Insider > Clickjacking Is Scary, Real, And Kinda Hypothetical
Search:
[ insider_reports_insider ]

Clickjacking Is Scary, Real, And Kinda Hypothetical



SecurityProNews
Staff Writer
2008-11-04

SecurityProNews: Insider Reports Insider Reports RSS Feed


The new boogieman of the security world is the practice of "clickjacking," or slipping an invisible link over a legitimate link to trick surfers into clicking it. Prevalence: unknown. Alert level: high, because only Firefox and Adobe can stop it.

Clickjacking Is Scary, Real, And Kinda Hypothetical
Clickjacking Is Scary, Real, And Kinda Hypothetical

Clickjacking is still a bit of a boogieman because the vulnerability to this type of attack is very real and scary, but the actual execution of it is thus far untracked. It's possible in the way that the Army conducts red-teaming scenarios to devise defense strategies.

Though the type of attack-a form of cross-site scripting-has been around for awhile, this new tack started getting attention at the beginning of last month. (Author's note: Sorry if I missed it then. My daughter was born at the same time and I was a little busy.)

Though not the only means of attack, iFrame makes it possible for attackers to overlay a clickable link where a user is expected to click for some other reason: a buy button, send, download, etc. When clicked, the link brings up a page of the attackers desire, often without the user even noticing.

Obviously this is ugly, like a room full of Steve Buscemi ugly.

Internet Explorer, Opera, Chrome, and Safari are all said to be vulnerable to this kind of Web-based attack. Firefox 3, as well, but with a much-touted plugin called NoScript, it can be managed a webpage at a time. Adobe was (relatively) quick about patching flaws inherent in Flash applications-games seemed especially good targets-and issued a patch.

For other browsers, the proposed answer isn't so simple and involves disabling JavaScript, plugins/ActiveX and iFrames, or switching to Linx, all of which makes the Internet 1993 again.

Websites can protect themselves by using dynamic URLs and by having much-used buttons appear in different places randomly. Attackers would need static URLs and static hot-button placement to do any clickjacking.


About the Author:
SecurityProNews is a daily online and email publication focusing on internet security issues.

More insider_reports_insider Articles

SecurityProNews: Insider Reports Insider Reports RSS Feed

Get Your Site Submitted for Free in the World's Largest B2B Directory!

Email Address:
* URL:
*
*Indicates Mandatory Field

Terms & Conditions

iEntry Featured Services: Jayde Member Services | Forums | Freeware | Advertise with Us

Contact Us | Advertise | Newsletter Archive | Sitemap | Submit an Article | News Feeds
SecurityProNews is an iEntry, Inc.® publication - $line) { echo $line ; } ?> All Rights Reserved | Privacy Policy and Legal		 Join the WebProWorld Forums: Click Here
Virus Warnings

Subscribe to
SecurityProNews FREE!


[ more newsletters ]

Featured On:
article resources
Search Articles:
[advanced search]

WebProWorld.com
Get in-touch with industry experts and leaders
Post your site for review by expert and peers
Ask Security, IT, Development and Design questions

Free Membership: Join Now!

Visit WebProWorld.com

Titan Quest Forum
The #1 Titan Quest forum
Halo 3 Forum
The best Halo, Halo 2, Halo 3 forum
Nintendo Wii
Nintendo Wii news and views
Mac Software
The best in OS X freeware
Graphics Forum
Your source for graphic tutorials
SecurityProNews.com | Breaking eBusiness News Get Your IT Questions Answered - Click Here SecurityProNews News Feeds