‘Click Jacking’ is the latest browser-based security problem to crawl out of the wood work. Since it’s entirely browser based it affects everyone, regardless of their OS, not even Linux users are safe from this one! This is a cross-browser problem and also affects Flash. The technical details have not been released yet, but there is a proof-of-concept exploit doing the rounds. The basic idea is very simple, trick people into clicking on something you want them to click on but they don’t want to click on. From what I’ve been able to piece together from reading various blog postings and reports the attack uses CSS and iFrames to place invisible content over visible buttons or links. When the user clicks the button or link they see the click gets diverted to what ever is in the invisible layer above it instead. If you can do it by clicking the mouse, then you can be tricked into doing it with Click Jacking.

The proof of concept demonstrated how a simple web-based game could be used to turn on the user’s webcam and mic and transmit the sound and video to the attacker without the user ever seeing the flash warning asking for permission. Their clicks were hijacked to actually approve this action without their knowledge. Messing with Flash behind your back is one thing, but the technique can be used on regular web pages too. Since it’s running in your browser the attacker has access to anything you’re logged in to. They could hijack your clicks to reprogram your router, mess with your FaceBook profile, or interact with your online banking! The only slight silver lining is that attacks are limited to things that can be done by clicking.

When it comes to protecting yourself the consensus seems to be that the NoScript FireFox plugin can provide near-complete protection if it’s properly configured. The default configuration will provide no protection, and you are un-protected on any sites that you allow permission to use iFrames. It’s also very important to note that this is NOT a JavaScript vulnerability. Turning off JavaScript provides no protection at all as the attack doesn’t use JavaScript, just CSS and iFrames. The reason the default NoScript configuration won’t protect you is that it allows iFrames. You need to open the NoScript Options window (you can open it by clicking on the NoScript icon in the status bar at the bottom of your FireFox window), go to the Plugins tab, and check the Forbid <IFRAME> option. You will now be protected on all sites you don’t white-list.

Blocking iFrames in NoScript

Finally, some researchers are advising that you have a separate browser which you will only use for your internet banking. This is a sensible precaution, and is very easy to do on the Mac, just create a Fluid App for your banking website.

There will be Flash updates and browser updates to address Click Jacking too, but they’ll take time to come out, so it seems wise to take immediate action by switching to FireFox with NoScript to protect yourself in the short-term.

If you’re interested in reading more about Click Jacking then this Securosis Article is a good place to start.