Adobe has released an advisory that describes the Flash Player vulnerability, which previously prompted security researchers Jeremiah Grossman and Robert Hansen to halt the disclosure of technical details regarding clickjacking attacks. According to the advisory, by using clickjacking techniques, an attacker can gain access to a user's webcam and microphone by tricking the user into unknowingly enabling them via the Flash Player Settings Manager.
Clickjacking is generic name describing various attacks that allow redirecting a user's mouse click from a legit item on a Web page to whatever the attacker desires. This means that clickjacking, also known as user interface (UI) redressing, does not represent a particular attack, but a class of attacks. The general concept behind these attacks is placing an invisible button or link under the user's mouse pointer while surfing a Web page, and hijacking his mouse click when he clicks on a item considered safe.
Some clickjacking techniques have been known since as early as 2002, but have been largely ignored from a security perspective, because it was considered that they were based on logic flaws rather than actual bugs. However, since then, threats like cross-site scripting (XSS) and cross-site request forgeries (CSFR) have opened new possibilities for clickjacking. Jeremiah Grossman and Robert Hansen have been working on demonstrating how clickjacking techniques can enhance CSFR and XSS attacks, or how they can become dangerous when combined with things previously considered harmless, like the Flash Player Settings Manager.
The two researchers have canceled their initial OWASP conference presentation of their clickjacking-related findings at the request of Adobe's Product Security Incident Response Team, which realized that, by combining clickjacking with the Flash Player Settings Manager, a door was opened to illegal spying through computer webcams and microphones. The researchers later announced that they were planning to go ahead with the full disclosure later this month, considering that Adobe would have had enough time until then to release a patch.
Due to the impromptu disclosure, Grossman and Hansen have also partially released their own findings on their blogs. “Jeremiah and I got the final word today that it was fine to start talking about this due to the click jacking PoC against Flash that was released today that essentially spilled the beans regarding several of the findings that were most concerning,” noted Robert Hansen. He also pointed out that several other researchers had discovered the vulnerabilities on their own, but decided to keep quiet about it. “Thanks to the researchers who found these issues independently after Jeremiah and I were unable to do our speech, but kept it to themselves (Arshan Dabirsiaghi, Jerry Hoff, Eduardo Vela, Matthew Matracci, and Liu Die Yu),” Hansen writes. Meanwhile, Grossman notes that “predictably several people did manage to uncover much of what we had withheld on their own, whom thankfully kept it to themselves after verifying it with us privately.”
Many researchers claim that this is just the beginning, even if the disclosed issues will be fixed, as clickjacking itself does not have a simple solution. It is not a surface problem, but one that originates in the fundamental blocks of today's web architecture, like CSS/DHTML and IFRAMES. These are not things that can be easily eliminated and it is very likely that more clickjacking based attack techniques will be devised.
Giorgio Maone, the creator of the NoScript Firefox extension has been keeping an eye on the clickjacking issue, and has been fast to code several specific countermeasures in the new NoScript version (18.104.22.168). “The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction,” explains Maone on his blog.
Users are advised to use the workaround described in the Adobe advisory. Other suggestions include performing online financial banking tasks independently from regular browsing and logging out from sensitive websites before continuing to browse to other pages. Also, some researchers suggest using separate browsers for different tasks if possible, with one dedicated only to banking.