Critical Clickjacking Vulnerabilities Will Soon Be Disclosed

Researchers Jeremiah Grossman, founder of WhiteHat Security, and Robert “RSnake” Hansen, founder of SecTheory, announced that they would fully disclose their research and PoC exploits at the Hack In The Box (HITB) conference in Kuala Lumpur, 27-30 October. The researchers previously canceled the presentation of critical clickjacking vulnerabilities that affect all current browsers at the request of Adobe.

Clickjacking is a type of attack that allows hijacking the mouse clicks of users on a website and redirecting them to other items. This means, for example, that while a user sees, inside the browser, that he is clicking on a legit picture from a legit website, his actual click can be maliciously redirected to a link serving malware. This is caused by a core design flaw that affects all websites, but the only realistic approach at patching it is within the browsers. "The only people who can fix this in a scalable way are the browser vendors," noted Hansen.

Jeremiah Grossman and Robert Hansen have developed some proof of concept exploits in order to demonstrate that clickjacking is a very serious threat which is generally disregarded. They were planning a presentation during the Open Web Application Security Project conference in New York, but while collaborating with several browser vendors to address the issues, Adobe's Product Security Incident Response Team requested for additional time in order to patch one of their affected products.

“One Clickjacking PoC utilized an Adobe product with an attack technique they considered to be a critical issue, we just hadn’t realized it, so we narrowly avoided 0-day’ing them,” noted Mr. Grossman at that time. The researchers agreed to delay disclosing their findings because they considered it was the right thing to do. “I must stress, this is not an evil “the man is trying to keep us hackers down” situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on,” said Mr. Hansen.

The two researchers now think that the upcoming HITB conference is a good opportunity to go ahead with a full disclosure. "We gave Adobe time out of courtesy because they asked and we have a good working relationship with them. They are using the time productively, but we could not agree to another delay," wrote Grossman in an e-mail according to Network World. The researchers notified Adobe of their disclosure plans during the past weekend.

Grossman commented on the Adobe yet to be released patches noting that "we have no ETA on Adobe fixes, but we're hopeful that it'll be weeks and not months. Whether or not they 'patch,' it will not change the content of my keynote speech," and also added that "our belief is clickjacking as an issue is not a problem in their software, but with browsers in general. It would not be fair to the others that it does impact to be without the information they need".