Clickjacking enables an attacker to force a user click on an invisible link, without user knowledge or consent. Once a user clicks the link unknowingly, the hacker takes over the control. In plain English clickjacking is new cross-platform web browser exploit technique lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site.
When you visit a malicious website that uses and the attacker is able to take control of the links that your browser visits. Clickjacking has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way browser works and cannot be fixed with a simple patch. Once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.
Clickjacking : Your Browser Is Under Threat
How would a Clickjacking attack work?
Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if users click on a web page, they may actually be clicking on content from another page. Clickjacking is an attack where a user clicks on a button in a browser, thinking the button will perform a specific function but an attacker hijacks the button to use it for another purpose.
An attack can invisibly hover these virtual buttons below the users’ mouse, so that when user click on something they visually see, user actually are clicking on something else the attacker wants to do. Clickjacking can also be exploited through Flash plug-ins used by almost all the browsers to run video and video-based applications, and many shortcut buttons in the toolbars. The concept behind clickjacking is that through not so highly complex tools or advanced skills, one could hijack user mouse “clicks” and use them for questionable activities.
JavaScript increases the effectiveness of these attacks hugely, because it can make invisible target constantly follow the mouse pointer, intercepting user’s first click with no failure. Using DHTML, and especially CSS, the attacker can disguise or hide the click target in several ways which go completely undetected by the user, who’s easily tricked into clicking it in a more or less blind way.
Once an infected ad has been loaded into user browser, user clipboard becomes overwritten with a URL. The exploit may also take over user browser and visit links without user knowing about this.
Examples:
There are also number of ways , end users can affects by clickjacking attacks such as while you might think you are clicking on your bank funds transfer link, saving a favourite URL link, some innocuous Facebook application, submitting a news story, wire transfers on banks, Digg buttons or advertising banners the reality could be entirely different, and dark. Attackers can do quite a lot.
Clickjacking Attack Using IFRAME:
A malicious page in domain ABC may create an IFRAME pointing to an application in domain XYZ, to which the user is currently authenticated with cookies. The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain XYZ, such as ‘delete all items,’ ‘click to add Mr. X as a friend,’ etc. It may then provide own, misleading UI that implies that the button serves a different purpose and is a part of site ABC, inviting the user to click it.
How to Stop Clickjacking Exploit Attack
Clickjacking exploit affects all browsers under any desktop operating systems including Microsoft Internet Explorer, Linux, Apple safari, Opera, Firefox and Adobe flash. Only exception is Lynx and other text based browsers.
Internet Explorer
Microsoft Internet Explorer can’t be secured 100% against clickjacking, and the protection you can get comes with a big usability cost. Following steps help some extent to prevent clickjacking Exploit in Internet Explorer.
Open Internet Options|Security, select the “Internet” zone and set the “Security level for this zone” control to “High”.
There’s no apparent way to disable IFRAMEs in Internet Explorer: you can just disable “Launching programs and files in IFRAME”, which is definitely not enough to prevent clickjacking.
Microsoft’s “Internet Zones” can allow individual sites for scripting or active content, their usability is extremely poor if compared to other, requiring several clicks and typing to build a whitelist.
Mozilla Firefox
Option #1: Disable Everything
Disable scripting and plugins such as flash and others for the time being under Firefox except adblock plus or no-script plugin. Under Firefox clock on Tools -> Add-ons -> Select each plugin and disable it.
After disable plugins then shutdown browser. Remove Adobe flash from system using apt-get or from directory.
If firefox 3 installed at /opt/firefox/, change directory to /opt/firefox/plugins: # cd /opt/firefox/plugins
Delete flash and other plugins files: # rm *
Option #2: Use NoScript Plug-in
The NoScript Firefox extension provides extra protection for mozilla Firefox. This free, open source add-on allows JavaScript, Java, Flash and other plugins to be executed only by trusted web sites of your choice and also provides the most powerful Anti-XSS protection available in a browser.
For users of Mozilla-based browsers such as Firefox, NoScript certainly represents the easiest and most secure solution; simply enabling the Plugins|Forbid <IFRAME> option in NoScript will provide complete protection.
Click on NoScript icon located on bottom right status bar -> Select options -> Click on Forbid [IFRAME] -> Ok
Option #3: Use lynx
Lynx and other text based browsers are not affected by clickjacking exploit. Lynx is a free open-source, text-only Web browser. Clickjacking won’t work in Lynx simply because there’s no graphic content that an attacker can grab from it to pull over his own malicious code.
You can install lynx using apt-get or yum command:
# apt-get install lynx
OR,
# yum install lynx
The best option is the combination of Firefox and NoScript, an extension that blocks JavaScript, Flash and Java content, would keep safe from Clickjacking Threat.
Related posts:
- Recover Lost Passwords stored by Google Chrome, Firefox & Internet Explorer
- How to Enable or Disable Thumbnail Previews in Firefox 3.6
- Recover or Restore Deleted Firefox 3.5 Browser History
|
|
Follow us on Twitter
Bookmark on del.icio.us
Become a Fan of Facebook
Add to Google Reader
Comments on this entry are closed.