‘Click Jacking’ is the latest browser-based security problem to crawl out of the wood work. Since it’s entirely browser based it affects everyone, regardless of their OS, not even Linux users are safe from this one! This is a cross-browser problem and also affects Flash. The technical details have not been released yet, but there is a proof-of-concept exploit doing the rounds. The basic idea is very simple, trick people into clicking on something you want them to click on but they don’t want to click on. From what I’ve been able to piece together from reading various blog postings and reports the attack uses CSS and iFrames to place invisible content over visible buttons or links. When the user clicks the button or link they see the click gets diverted to what ever is in the invisible layer above it instead. If you can do it by clicking the mouse, then you can be tricked into doing it with Click Jacking.
The proof of concept demonstrated how a simple web-based game could be used to turn on the user’s webcam and mic and transmit the sound and video to the attacker without the user ever seeing the flash warning asking for permission. Their clicks were hijacked to actually approve this action without their knowledge. Messing with Flash behind your back is one thing, but the technique can be used on regular web pages too. Since it’s running in your browser the attacker has access to anything you’re logged in to. They could hijack your clicks to reprogram your router, mess with your FaceBook profile, or interact with your online banking! The only slight silver lining is that attacks are limited to things that can be done by clicking.
NoScript Options window (you can open it by clicking on the NoScript icon in the status bar at the bottom of your FireFox window), go to the
Plugins tab, and check the
Forbid <IFRAME> option. You will now be protected on all sites you don’t white-list.
Finally, some researchers are advising that you have a separate browser which you will only use for your internet banking. This is a sensible precaution, and is very easy to do on the Mac, just create a Fluid App for your banking website.
There will be Flash updates and browser updates to address Click Jacking too, but they’ll take time to come out, so it seems wise to take immediate action by switching to FireFox with NoScript to protect yourself in the short-term.
If you’re interested in reading more about Click Jacking then this Securosis Article is a good place to start.