Comments on: Clickjacking and Flash

By: arborday

arborday — Wed, 10 Dec 2008 01:08:51 +0000

GuardedID Toolbar for IE and Firefox says it provides clickjack protection. Can you try it out and let us know if it works? Test GuardedID Version 2

By: More Advanced Clickjacking - UI Redress Attacks | GNUCITIZEN

More Advanced Clickjacking - UI Redress Attacks | GNUCITIZEN — Wed, 08 Oct 2008 18:08:34 +0000

[...] 2008 This will be a quick post just to share some POCs and more information regarding the recent Clickjacking technique, i.e. UI Redress Attack, a name suggested by Michael [...]

By: pdp

pdp — Wed, 08 Oct 2008 07:36:46 +0000

what can I say, I appreciate Georgio’s work a lot but the simple fact is that NoScript can be really annoying sometimes (most of the time). Putting warnings everywhere is not the solution. I don’t know what is the solution. I am glad though, that we have some solution thanks to NoScript. Clickjacking is also possible on the desktop as well. Clickjacking is certainly not a Web-related only problem. However, I do not see Desktop GUI developers implementing warnings everywhere.

By: mindcorrosive

mindcorrosive — Wed, 08 Oct 2008 05:45:01 +0000

It seems that something’s being done to address clickjacking - NoScript’s new version (1.8.2.1) sports some form of protection in this regard:

http://hackademix.net/2008/10/.....ckjacking/

I’m not sure whether this will help against Flash clickjacking, but it certainly detected overlaid elements on a web-page and displayed a warning.

By: Details of Clickjacking Attack Revealed With Online Spying Demo - Desktop Security News Analysis - Dark Reading

Tue, 07 Oct 2008 21:52:21 +0000

[...] term got the media’s attention,? says Petko ?PDP? Petkov of GNUCitizen, who earlier this week had blogged on how clickjacking is a sort of graphical user interface attack. ?From what I can hear, other [...]

By: ronald

ronald — Mon, 06 Oct 2008 19:49:14 +0000

@arshan

it is a quite strange observation by many in the hacker & security field, when people think that it must be about complexity and intellectuality. This is opposite in finding truth or even science, where the smallest theory is the most elegant generally. Whoever finds the smallest theory is usually the winner, not in hacking and security. it has to be complex that no-one understands it anymore, and you do. It’s only showing inner uncertainty, instead of the confidece to talk about XSS all and and seeing it as a risk. The moment you do that you are labeled a scriptkid. Well, I always said: be affraid of the scriptkid, he will own you one day when you are far too busy with your intellectual rolegames.

This is no critique, it’s my personal observation and conclusion about the fact that no one other than uncertainty will make you proof to the world you are not uncertain, which again proves de facto uncertainly.

@petko

Yeah, I think the whole notion of being the baddest and one with the most bling is ridiculous. This doesn’t mean I like a healthy competion of course. But there is a thin line to walk in my opinion. A lot of bugs are being found by those in search for recognition, so in one way it’s good that not many people realize it. Secondly I don’t think that doing some partion magic on the TCP/IP stack is any more dangerous than clickjacking, I don’t really subscribe to classifications of vulnerabilities anymore, their is either a threath or there is a good sense of security.

By: pdp

pdp — Mon, 06 Oct 2008 16:43:24 +0000

indeed, the future looks very gloomy :)

rvdh, being the baddest hacker is not enough. I know that you are the lone wolf but enter my world of massive collaboration. this is the future! well, at least according to me.

By: arshan

arshan — Mon, 06 Oct 2008 15:55:41 +0000

Ronald, you are right and I think that’s what we both meant (about using Clickjacking to trick the user into clicking ‘Allow’ in the Flash security dialog).

By: arshan

arshan — Mon, 06 Oct 2008 14:32:48 +0000

Therefore, today attackers can trick the user to allow the microphone to survey the sound in the room where the victim’s equipment is located.

This is the vector I came up with right away after understanding the whole Clickjacking idea, and I resisted the urge to 0day Adobe on stage in NYC - it was tough, especially with the whole crowd salivating for vectors.

There are worse vectors though, even within Flash. This is a real creative challenge to those willing to spend the time researching.

The future is scary- just check out HTML5, google, and check out some of the streaming options our browsers are looking into implementing.

By: rvdh

rvdh — Mon, 06 Oct 2008 11:04:32 +0000

It’s probably more like enabling the cam and mic access through flash. Ever seen that little popup when clicking on flash? That’s another thing you can do. besides clicking on buttons and stuff. mere guess of course, and some also e-mailed me about this as an attack vector.

But I’m not sure, we’ll have to wait for the stuff to roll right I guess. I’m a bit agitated by semi-disclosure right now, the media twist things out of perspective lately without doing research an taking stuff on face value. Even when I speak about something, I always ask them nicely to NOT address me as security researcher since I have no authority to claim such, other than being a semi-bored blogger that likes to go an the bend once in a while, but they don’t seem to care, it sells more ads for them :)

Not sure what is happening lately, all strange things happening all over the place, old TCP attacks, weird click attacks, old purged DNS attacks dis-covered, BGP attacks, haha! no disrespect but it’s just a crazy observation where you are pretty much spot on when you said that it’s not about being the baddest hacker.

I would love to tell bad-ass stories, but I know I can’t because people know my name. Crazy I know, funny: hell yeah.