Wednesday, October 08, 2008

Firefox "NoScript" Extension Blocks Clickjacking

According to Giorgio Maone, an Italian security researcher who wrote and maintains the Firefox extension "NoScript", the latest release of NoScript, version, will stop so-called "clickjacking."

NoScript is a small application that integrates into Firefox. It blocks scripts in programming languages such as JavaScript and Java from executing on untrusted Web pages. These are the scripts that security researches have warned could be used to launch an attack on a PC.

Clickjacking is largely made possible due to a fundamental design feature in HTML that allows Web sites to embed content from other Web pages, Maone said. Nearly all Web browsers are vulnerable to a Clickjacking attack. However adding the NoScript extension will allow users to block the majority of scripts running on a page, thus lowering their chances of being "Clickjacked".

The new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning message asking the user if they still want to click on it. Maone said ClearClick will likely stop all Clickjacking attempts. NoScript is only for the Firefox browser.

Security researchers Robert Hansen and Jeremiah Grossman, issued the warning about clickjacking late last month. Earlier this week Adobe released an advisory to users about a "Clickjacking" workaround for Flash Player. Following that warning Hansen received the ok to release some of the details about possible Clickjacking scenarios.

Michael R. Farnum, of ComputerWorld, reports on his first NoScript clickjacking warning.

I upgraded to 1.8.2 (I think it was yesterday), and I have already received a clickjacking warning. The picture is below. The URL is obfuscated purposefully by me since I didn't want anyone jacking around with the site (it is a secure site that requires a password - hmmm).

noscript clickjacking

So my question is this: Is this a coding error of some kind on the site, or is it a false positive? Is this something that is going to be happening to a lot of people using FF and NoScript, or did I just get lucky? Of course, one might ask if it was actually an attack. I doubt it because (like I said above) the website is a secured site that is password protected, but you never know. I am not a developer, so I don't want to go any further than that, but I am looking into contacting the developer of the site to see if they can find anything (or if they even care). If I hear anything, I will post an update.

From the information and image posted above it would appear as though the NoScript extension does work, however as Farnum said it might show a few false positives. Unless of course the site he was visiting was indeed being "Clickjacked".

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you