The issue

A few weeks ago a new name started circulating in security writings - "clickjacking". Some security organizations - eg. US CERT - as well as several web-based news agencies reported this, which was supposedly a major, new threat the following weeks.

The fuzz started when a scheduled talk 24 September by Jeremiah Grossman & Robert "RSnake" Hansen on the OWASP NYC AppSec 2008 Conference was cancelled. The talk was titled "New 0-Day Browser Exploits: Clickjacking - yea, this is bad...". Grossman and Hansen had discovered a new vulnerability, which affected almost all browsers. However, the talk was cancelled (postphoned) due to vendor request.  

The postings 15 September provided from Grossman and Hansen regarding the cancelled talks are here:

• Grossman
• Hansen

Clickjacking was then briefly defined as:

"Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable."

As you will see from the links above, Hansen and Grossman did not publish much details about the vulnerability/vulnerabilities.

The vendor that asked for the talk not to be presented on the conference was appearently Adobe (maybe others too). Adobe's Security Incident Response Team (PSIRT) has made a public thank to Grossman and Hansen on its blog.

One discussion

As one could expect, the fact that some security experts had discovered a vulnerability and chosen to inform affected vendors, and not the general Internet community, did lead to the common general discussion about disclosure. What is responsible disclosure, pros and cons etc. etc.

Some dilemmas regarding this have been discussed in Norman's previous Security Information articles, see e.g. from week 40/2002, and will not be the topic for this writing.

Talks and speculation

Immediately after information about this cross-browser vulnerability was disclosed, speculation started. One problem was that very little specific information was available.  According to Grossman and Hansen

• "At this time just about everyone out there using the latest versions of Internet Explorer (including version 8) and Firefox 3 is affected." (Grossman)
• "(...) the only fix is to disable browser scripting and plugins." (Grossman)
• "We’ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment." (Hansen)

Searching the term clickjacking results in several hundred thousand results. Here are some additional links that may be useful to get a grip of what is involved. Some of these links also provide suggestions as to what you can do to protect yourself (to some extent, at least):

• Clickjacking and NoScript - Hackademix.net (by Giorgio Maone, author of e.g. the NoScript plug-in to Firefox)
• Clickjacking and Other Browsers (IE, Safari, Chrome, Opera) - Hackademix.net (by Giorgio Maone)
• Dealing with UI redress vulnerabilities inherent to the current web - a suggestion about what clickjacking is/was and several proposals for solving the issue (by Michal Zalewski)
• Researchers weigh "clickjacking" threat - SecurityFocus (by Robert Lemos)
• This Week in HTML 5 - Episode 7 - discussion of Zalewski's posting above (by Mark Pilgrim, Google)
• Not Clicjacking (Almost Certainly) - some intriguing examples of scary stuff other than (what the autor believes is) clickjacking (by Tod Beardsley)

Estimating the danger

It is of course not possible to presisely figure out the danger of this vulnerability, as sufficient information is not disclosed. Nor can one guess at the work involved in providing patches to browsers and other applications, that are affected by the vulnerability.

However, with the facts that are known, one can provide some educated speculative guesses:

• The issue is affecting important implementation of browser design, and is probably not a design flaw in the browsers themselves, rather in the functionality that the browsers are supporting.
• A surfer is not vulnerable unless he/she is surfing on web sites that utilize the vulnerability. This is a major mitigating factor.
• Unfortunately lots and lots of web sites are compromized without the knowledge of those responsible for the site. It may therefore be a huge potential for surfing on a compromized web site even for careful surfers.
• To solve the issue in browsers will probably imply major rewriting.
• One can tighten browser security (more or less depening on the browser used). This however, will often result in a decline in the browsing experience and/or functionality available for the surfer.

More information will be available

One thing is for sure regarding clickjacking: we have not yet seen the last writings on this issue!