Chrome, Firefox face clickjacking

Security researchers have discovered a flaw affecting Google's Chrome browser that exposes it to "clickjacking"--in which an attacker hijacks a browser's functions by substituting a legitimate link with one of the attacker's choice.

Google has acknowledged the flaw and is working toward a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya Sood.

Sood disclosed the flaw on Tuesday and has since posted a proof of concept on the Bugtraq vulnerability disclosure forum.

"Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure.

While Google is working on a fix, a representative for the Australian arm of the company pointed out that clickjacking can affect all browsers, not just Chrome.

"The (clickjacking) issue is tied to the way the Web and Web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardized long-term mitigation approach," they said.

However, Nishad Herath, an independent security researcher and CEO of Australian security consultancy Novologica, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.

Google's security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google's representative.

Clickjacking is a relatively new browser attack that security researchers Robert Hansen and Jeremiah Grossman gave a talk on it late last year at the Open Web Application Security Project security conference in New York. Such an attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's browser to send an HTTP request to a Web site of their choosing.

"Clickjacking means that any interaction you have with a Web site you're on, for example like clicking on a link, may not do what you expect it to do," explained Herath.

"You may click on a link that looks like it's pointing to a picture on Flickr, but in reality, it might first direct you to a drive-by-download server that serves malware. These types of attacks can be used to make you interact with Web services you're already logged onto in ways that you would never want to, without you even knowing that it has happened."

Liam Tung reports for ZDNet Australia from Sydney.

[Penguinisto]

Funny that they tested IE 8 beta, but not IE7, which is the current production browser... (we won't even need to discuss IE6).

[Seaspray0]

IE7 should have been tested as well.

[Super2online]

I applaud Microsoft's efforts though, as the most recent article that CNET did on the newest version of IE8 release candidate went into a lot of detail about their efforts to thwart click jacking. Since release is near, and everyone has had the ability to download IE8 and use it for a very long time I think it's a valid comparison.

[tm_anon]

If they tested IE8, they should also have tested Firefox 3.1 since they are both in beta.

[wavjockey]

So help me out here...

Sometimes, when I am online, Firefox will reduce suddenly and a widow pops up alerting me that I may be vulnerable to viruses and malware attacks.
The window is dominant and won't close without clicking on it so I use Task Manager to terminate Firefox.

Is this a "Click-jack" tactic?

[Blacksheep1982]

I don't think you are being click jacked as click jacking would most likely just direct you to another web site, that then try's to auto install malware.

Sounds like you already have some malware or spyware running on your system. I recommend going to the download section on C-Net here and downloading a few programs to check your system out. First one I recommend is Malware Bytes, second is Ad-Aware, third is Spybot Search and Destroy. Download and run all three and see what they turn up. You probably have an active program already installed on your system causing this.

If you don't have an anti-virus program, download Avira or AVG from C-Net and run a scan as well.

[Imalittleteapot]

Check to see if it only happens at certain websites or at just simply random times. I get virtually no popups anymore. If you're just getting popups at random times it also sounds like you may have been infected with some type of adware trojan. These things hijack your system in different ways so that when you go to one website the adware swaps it out for another behind the scenes, popups a popup and then redirects to the page you were actually trying to go to. This way you think the popup came from that site when it actually didn't. Usually when this happens your web browsing gets very slow but not always.

Also, hit download.com and download some anti-malware and scan your system for any adware. Use two or three anti-malware programs if you have to. Not all of them find everything in a scan. Someone may have infected your system just so they can sell you their cure to the problem they created. That's how that scam works.

However, if it just keeps happening at the same website each time it may just be a regular paid for popup ad or a type of clickjack, but you should check your own system first. If you're really worried about it just back up your files and reinstall Windows completely or track down someone that can do it for you. That's actually the best easiest fix, but only if you've installed Windows before. If not, you should learn how. It's really not that hard. Backup, format, reinstall, install drivers, install the software you use, then copy your backed up files back over. It's easy, but if you've never done it you'll need help.

[c|net Reader]

That is not clickjacking. A web site you visit may have some advertisement that does something awkward with Firefox so that the main window shrinks. It could be a web site that is hacked. It could be malware on your system as others have mentioned.

Running the NoScript Firefox add-on is a great way to manage such things. Just don't get in the habit of enabling scripts on every site you visit just because it doesn't render right. (Uglier but usable is still usable and certainly safer.)

[zizzybaloobah]

I hope Microsoft doesn't think they're off the hook - they are a lot of W2K users who can't upgrade IE and thus will be vulnerable to this exploit.

[Hunnter2k3]

But to be perfectly honest, their fault for sticking with a terrible browser.
There are plenty of other ones out there more up-to-date that work on it.

And if they work for a company who refuses to stop using ActiveX, leave it and find a better job because they suck for building applications on a plugin for a browser. (this goes for Flash AND Silverlight too)
Plugins ruined the web... without them, JavaScript might have actually been fixed up instead of the mess it is in now.

[Seaspray0]

W2K is over 8 years old. Support is over for W2K. Get real.

[smilin:)]

Windows 95 users can't upgrade IE either.

Who gives a crap. It's *** 2 0 0 9 *** now, time to join the rest of us.

[1Jlo]

Actually, MS support for Windows is 10 years, so Win2K is still in support for securty updates.

[FutureGuy]

I refuse to believe that this is a security bug in a Google's product.

[smilin:)]

You REFUSE. haha

Believe whatever you want. Heck, go rub your temples and believe that web pages are delivered by magical intarweb fairies.

[basraw]

There is an add on for Firefox that detects click jacking.

It's called NoScript.

[c|net Reader]

Running NoScript in Firefox protects you from clickjacking, even when scripts are enabled for a web site, though certainly when scripts are disabled. If you use Firefox, you owe it to yourself to use NoScript (and give yourself a chance to understand how it works and how you should use it).

[umbrae]

Yes, NoScript and CS Lite are 2 plugins no Firefox user should be without.

[umbrae]

Firefox is not affected if you use the NoScript plugin, which a large majority do. IE8 doesn't count unless you also tested beta versions of the other browsers. For IE7 users there is no fix.

[blundergod2112]

NoScript will only help if you have not clicked on "allow". If you have allowed scripting to run on a particular page then clickjacking is possible. I believe the best option for Firefox is to install Cross Site Request Forgery (CSRF), which is another Firefox add-on. I have been using it for a few months after I heard about clickjacking, and it is a great add-on for peace of mind.

[blundergod2112]

My mistake on the last comment. CSRF is for Cross Site Request Forgery which differs from Clickjacking. Umbrae is correct that NoScript has an option to forbid IFRAME, which I believe is set to "FORBID" by default when installed. Although I have read that IFRAME is not the only means of Clickjacking. Other ways is through page scripting via Java, Flash, Silverlight, etc. So my previous comment about setting NoScript to allow still holds true. It is not 100%, but it certainly helps!!!

If you use NoScript, I suggest verifying that you have IFRAME set to forbid.

Also to note, I just checked the Mozilla web site and the CSRF addon has been disabled as they are looking into issues where online purchases do not work when enabled. I haven't experienced any problems however.