Comments on: Clickjacking: Hijacking clicks on the Internet

Security researcher warns that clicking on the Web may not always take you where you want to go.

[42istheanswer]

Don't Click this! Psych

[Random_Walk]

...seriously? This is not new. We're talking 10-year-old tech in some cases...

[inachu1]

I would like to get rid of hidden clicks. Microsoft years ago stated an update to internet explorer on a very old version of windows update must have this click to make seemless click throughs without the end user really clicking on anything.

But here you see I hate that and makes me livid! I did not click a darn thing on some website but I just sit there doing nothing then I hear a click sound.

I call that "MOUSE CLICK IMPERSONATION" and that should be illegal!

What this means is that if some local joe on his pc late at night sees some adult material and he just faps to that page then evil porn advertisers force a click to an illegal under age website then this local joe is responsible for pedophilia on his computer and he did nothing but visit a soft porn website.

So you can hear it on windowsupdate and on other sites and just just from microsoft and porn sites.

This really makes me sick and one day I was not even on a porn site but just some rated G chat room talkign about pc hard ware and while I type with 5 minutes I heard over 42 clicks!

ENOUGH ALREADY! Oh and yes my pc was clean and virus,trojan,spyware,malware free.

I am sick sick sick sick sick of this.

[BtmnHatesRbn]

Then get real with yourself, drop Micro$oft and go with Apple or Linux. Otherwise, don't complain.

[basraw]

"I would like to get rid of hidden clicks. Microsoft years ago stated an update to internet explorer on a very old version of windows update must have this click to make seemless click throughs without the end user really clicking on anything. "

NoScript addon with Firefox alerts you to ClickJacking.

[Michichael]

Old news is old.

[kieranmullen]

Old meme is old.

[MatthewFabb]

Adobe's John Dowdell comments on this story:
http://blogs.adobe.com/jd/2009/05/cnet_clickjacking_comment.html

[nowimcool]

thanks for linking that blog comment!! I hope Elinor updates us with specifics, other wise it seems this story is getting published after the issue has already been dealt with.

[jeremiahgrossman]

There is nothing ?new? attack wise with regards to clickjacking or flash videojacking -- nor does the article make such claims. The reason this issue remains relevant is despite the availability of Flash 10, clickjacking still represents a huge risk. Could we reasonably estimate that the number of Flash users not on v10 are in the millions if not tens of millions? Those are significant numbers and I believe they?d like to know that their webcam/mic could be enabled without their knowledge.

Furthermore the larger clickjacking issue in the browser security realm is brought to the forefront by the recent events that have transpired on Twitter. This is just a taste of what I and many others believe is yet to come. We failed to take XSS, CSRF, and SQL Injection seriously years back when we first knew about them and look where we are today. I?d prefer clickjacking not be ignored until something truly bad happens.

[play7]

IF you use a camera or Mic...........otehrwise its doesnt mean a thing. I never keep camera or mic plugged in all the time.......

[play7]

I dont understand why cnet showcasing this guy? As many said its a old breakin that old time users know about. Why grossman is trying to take credit for this in funny at the least. As someone said early look at the link someone posted above. Then you understand why this piece is just a waste of time.

[Voice_Of_Logic]

What part of Dont Click did these people not understand? These sort of acts need one main ingredient, in order to thrive: IDIOT USERS. Thus, I suspect this sort of thing will never go away.

[play7]

this crap is on cbsnews as well...........http://www.cbsnews.com/stories/2009/05/22/tech/cnettechnews/main5033555.shtml?tag=main_home_storiesBySection


omg is new source these days this bad!....

[leesbee]

Yes this is old news, If it looked you were going to spend money there was some site ready to highjack you to their site. And once they had you try as you mite you would never get to your intened site


BoBBy- B@ bolinousa@msn.com

[leesbee]

Can't use the truth/cnet


BoBBy-B @ bolinousa@msn.com

[t8]

The funny thing here is that Microsoft is the inventer of the iframe.
It almost seems like all vulnerabilities out there come from Microsoft.

[BtmnHatesRbn]

That's putting it together.

[Voice_Of_Logic]

And childbirth can be linked to eventual death. Using your logic, women are to blame for death? Go back to sleep.

[ofmyony]

Good information, Thanks to Whitehat and Cnet for keeping users as safe as possible. Even if its been a known vulnerability.

[jmanico]

I feel it is irresponsible to discuss security issues like clickjacking without a more complete discussion of the mitigation. If you are programming websites, you gain a great deal of risk reduction by adding "framebreaking" or "framebusting" code into your web pages. Fairly easy to do.

For a more complete discussion on this topic, check out http://www.owasp.org/index.php/Clickjacking

OWASP also offers FOSS Java-based filters to automatically afford this kind of protection for Java-based websites in the enterprise. See http://www.owasp.org/index.php/ClickjackFilter_for_Java_EE

[pwandmaker]

really? come on Elinor, this is journalism? c-net seems to read a definition on what journalism is. the quality of this site has descended into something far worse than mediocrity.

[BtmnHatesRbn]

Yeah. It's owned by CBS Viacom now!

[indnajns]

"People using Windows and IE should disable JavaScript "

This is a solution? You might as well disconnect your cable/modem line. Result would be just about the same. No one seems capable of programming a website without Javascript/ActiveX/Flash anymore. I set ActiveX to notify and most usually click NO and that gives me headaches enough. Turning off javascript would make browsing pretty much impossible. Do the people who suggest these inane things even try their own suggestions? Geesh.

(Haha. Count CNET as one of those that BREAKS when you don't allow Active X. The Comment Submit button doesn't work without it. Had to reload the page and allow Active X. I'm not even going to try it with Javascript turned off. Probably wouldn't be able to see the page at all.)

[BtmnHatesRbn]

How about saving some power and like before Windows 95 and Mac OS 8, turn the damned computers off for any period of time over an hour of non-use? And you'll even be "green" doing that.

[RavingEniac]

What is the vulnerability of non-Microsoft browsers and operating systems? If the problem doesn't exist for users of Mac OS and Linux, users of Firefox and Seamonkey and Opera, users of Windows 95 and Netscape Communicator, etc, the headline should probably be aimed at the Windows and IE versions that are vulnerable to clickjacking.

[AnthonyNYC]

He never said this was a browser specific or Operating system specific problem, he said any browser using CSS ( Cascading Style Sheets) is vulnerable, Mac and PC! Simple, just listen