Tuesday, September 30, 2008

Clickjacking Vulnerability Details To Be Revealed At Hack In The Box (HITB)

Jeremiah Grossman, chief technology at White Hat Security, will discuss the vulnerability at the Hack In The Box (HITB) conference in Kuala Lumpur, Malaysia.

Grossman along with fellow security researcher, Robert Hansen, CEO of SecTheory, first cam forward with information regarding the clickjacking vulnerability last week. Up till now both Grossman and Hansen have kept tight lids on the details but here's the limited amount of information Grossman provided Computerworld last week:

"Think of any button on any Web site that you can get to appear between the browser walls," he said last Friday. "Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue..., the list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to."

In plain English, clickjacking lets hackers and scammers hide malicious stuff under the cover of the content on a legitimate site. In short of of it as an invisible film over the top of an actual legitimate site, you can't see but your browser can. So when you click the links that are there your browsers responds to the malicious code on the top layer, forgetting about the actual code underneath.

Again at this time details are very sketchy and until they release more iformation we won't know how bad the vulnerability truly is.

When asked when will the clickjacking problems be patched? Hansen had no clue, really -- although he was certain that the only sensible solution is for the browser makers -- Microsoft, Mozilla, Apple, Opera, Google and others -- to build protection into their applications. "The only people who can fix this in a scalable way are the browser vendors," he said.

He and Grossman have connected with Microsoft, Mozilla and Apple so far, companies that together account for more than 98% of the current browser market share. "All are working on solutions," Hansen said, though he's unsure just how high they're prioritizing the problem.

In the meantime, Adobe Systems Inc. is working on a fix, reportedly for Flash, although Hansen refused to confirm that last week. It was Adobe that convinced the pair to ditch their planned OWASP AppSec 2008 presentation, and delay disclosing their research findings.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you