Tuesday, October 07, 2008

Clickjacking Details Emerge

SecTheory CEO Robert Hansen has finally go the ok from Adobe to release more information about the new threat that he and fellow security researcher Jeremiah Grossman of WhiteHat Security found.

"First of all let me start by saying there are multiple variants of clickjacking," "Some of it requires cross domain access, some doesn't. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn't. Some variants use CSRF (cross-site request forgery) to preload data in forms, some don't. Clickjacking does not cover any one of these use cases, but rather all of them."

Hansen breaks down several scenarios and ways in which clickjacking can be used, so I strongly suggest reading his full post on his blog, as I really wouldn't do his explanation justice.

Adobe has posted an advisory to address concerns about clickjacking and they have stated they are preparing a critical a patch for Flash Player. In the meantime, Adobe advises IT administrators to change the AVHardware Disable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. It also recommended users go to the Global Privacy Settings panel of Adobe Flash Player Settings Manager and select the "Always deny" button.

For a video demonstration of a clickjacking attack against Flash checkout researcher Guy Aharonovsky's blog post "Malicious camera spying using ClickJacking". He does note that Adobe has fixed this issue but it is still interesting to watch and gives you a good idea of how clickjacking works.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you