Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.

The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in “clear”. At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.

As you already know if you read my first clickjacking article, an old and benign clickjacking example is NoScript’s “Install Now” orange button, which overlays the green one on addons.mozilla.org to work-around the installation security warning. If you click it with ClearClick enabled, now you get warned about something sneaky going on.

ClearClick Warning on NoScript's install button

I do not need to change my button yet, because NoScript 1.8.2.1 ships with ClearClick enabled on untrusted (non whitelisted) parent pages only, while the whitelist status of the embedding is irrelevant. This gives a good balance between effectiveness and usability, since the attacker in a clickjacking attack is always the parent. If you want to get the warning on noscript.net and on the other sites you trust, you need to flag the second checkbox on NoScript Options|Plugins|ClearClick protection on pages… [x] untrusted [x] trusted. I recommend to flag it anyway and report any usability issue, because this feature so far seems quiet and unobtrusive enough to justify my temptation of enabling everywhere (trusted + untrusted) by default on next stable release, but it must get a lot of testing from you first.

Update

NoScript 1.8.4 and above ship with ClearClick enabled on both untrusted and trusted sites. It works everywhere, even if you’ve got scripts globally allowed. And yes, at that point I had to change noscript.net install button, therefore if you want a PoC you need to look elsewhere.

Other clickjacking-related features included in this release are:

  1. Opaque embedded objects: plugin content and frames are forcibly made opaque and get styled with “overflow: auto” (i.e. get scrollbars if their inner size exceed their viewport) on untrusted pages.
  2. Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a “frame busting” script similar to
    <script>if (top != self) top.location = location</script>

    , the intention of the page author is honored by NoScript, i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference.

  3. Some usability and effectiveness improvements in frame management, making the Forbid IFRAMEs option more suitable for general usage.

I hope to find some time during this week to write another post, diving through the technical details behind my ClearClick implementation: a fairy tale about a very simple and hopeful idea (unconventional <canvas> usage) fighting against an army of quirks and mundane details. In the meanwhile, many thanks to Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for discussion, testing and inspiration.

79 Responses to “Hello ClearClick, Goodbye Clickjacking!”

  1. #1 hackademix.net » Clickjacking and NoScript says:

    […] If you did not yet, you should upgrade to NoScript 1.8.2.1 or above, for the reasons explained here. […]

  2. #2 hackademix.net » Clickjacking Protection by Default says:

    […] and Other Browsers (IE, Safari, Chrome, Opera) Hello ClearClick, Goodbye Clickjacking! 02 10 […]

  3. #3 Nick says:

    s/beetween/between/ in the dialog.

  4. #4 Zero Day mobile edition says:

    […] And since prevention is better than the cure — at least in the short term — the just released NoScript v1.8.2.1 aims to prove exactly the same with its ClearClick feature : "The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, […]

  5. #5 Hello ClearClick, Goodbye Clickjacking! | 鬼仔's Blog says:

    […] Hello ClearClick, Goodbye Clickjacking! 2008/10/08 13:53 | 鬼仔 | 乱七八糟 | 占个座先 来源:hackademix.net […]

  6. #6 Giorgio says:

    @Nick:
    thanks, it’s not the only typo in this release. Translators notified some more, they are all fixed in current trunk.

  7. #7 Clickjacking here’s how it works | Ugh!!'s Greymatter Honeypot says:

    […] isn’t that high at the moment. Vendors have started recognising the threat and coming up with solutions for dealing with it. Adobe has come up with a workaround and NoScript has released ClearClick to […]

  8. #8 buzz says:

    hackademix.net » Hello ClearClick, Goodbye Clickjacking!

    Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.

  9. #9 An_User says:

    I just want to thank you very much for creating NoScript.
    It’s the only add-on I installed in Firefox, and it’s probably in my top 5 of free software I’m using. Thank you!

  10. #10 Sebastian says:

    Hi,

    I noticed a problem with clearclick enabled for trusted sites.

    The map on the left side of

    http://www.call-a-pizza.de/bestellen/deutschland

    is no longer clickable with ClearClick enabled for trusted sites (the site is temp. trusted by me)

  11. #11 Firefox Extension Blocks Dangerous Web Attack | WinSoftNews says:

    […] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning […]

  12. #12 Hit the button, Jack! « partikelfernsteuerung says:

    […] schafft wieder einmal die Erweiterung NoScript, die solche Attacken in der neuesten Version erkennt (im Laufe des Tages sollte hoffentlich auch die deutsche Übersetzung die neue Version […]

  13. #13 Corrine says:

    Thank you from an MVP who prefers Firefox with NoScript. ;)

  14. #14 Quote Of Movie “Hail The Conquering Hero” Made In 1944: Sgt. Heppelfinger:[To Woodrow] Give Me Six Of… | Asia Reisinger says:

    […] Hello ClearClick, Goodbye Clickjacking! […]

  15. #15 Network Security Blog » NoScript protects from ClickJacking says:

    […] only a stop-gap measure and only addresses a small part of the issue.  NoScript in Firefox offers protection from clickjacking along with a host of other script-related issues.  If you’re a security professional and […]

  16. #16 The WHATWG Blog » Blog Archive » This Week in HTML 5 - Episode 8 says:

    […] spys on you (via your webcam) without the usual warning dialogs; here’s Adobe’s response. NoScript now offers enhanced protection against some clickjacking attack […]

  17. #17 Protégete del ClickJacking en el reproductor Adobe Flash | Incubaweb says:

    […] Vía | Hackademix […]

  18. #18 Firefox extension blocks dangerous Web attack « Randa On The Web says:

    […] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning […]

  19. #19 John Drinkwater says:

    NoScript is awesomely useful as ever, but I’ve found a case where ClearClick gets in the way of normal use: Gmane! (yes, I have toggled on apply to trusted sites)

    Try putting the focus in the message pane to scroll, ClearClick alerts you.
    http://thread.gmane.org/gmane.comp.php.devel/47609

  20. #20 Firefox extension blocks dangerous Web attack | InfoWorld | News | 2008-10-08 | By Jeremy Kirk, IDG News Service says:

    […] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning […]

  21. #21 Tuneup Talk » Blog Archive » Fight Clickjacking! says:

    […] because it’s subtle and, until recently, undetectable by most users. The attack is known as Clickjacking, and it involves legitimate web pages that have been hacked to include hidden links leading to […]

  22. #22 Firefox extension blocks dangerous Web attack | CHARGED's 24/7 News Aggregator says:

    […] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning […]

  23. #23 Firefox Extension Blocks Dangerous Web Attack | Zach Browne Corporation says:

    […] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning […]

  24. #24 NoScript и кража кликов | ITLeader says:

    […] Статья о clickjacking на сайте hackademix.net […]

  25. #25 FuzzLinks.com » Fixes Released (and More Promised) For “Clickjacking” Exploits says:

    […] Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds ‘ClearClick,’ a feature that intercepts clicks made on […]

  26. #26 Lorenzo says:

    I notice that the default setting for NoScript’s ClearClick feature only activates it for untrusted sites. Since I’ve had my own site hacked by Chineese hackers who put iframes on it, I think it might be best to also activate it for trusted sites, which is an option.

  27. #27 fearu says:

    There’s an incompatibility between ClearClick and NewsFox (as version 1.0.3.1 with NoScript up-to-date). It detects when you clic on a website inside de feed reader as a clickjacking. I didn’t know where to put bug reports, so here it is.

  28. #28 Ken_g6 says:

    I just installed 1.8.2.2, and decided to test it on the example you gave. If I click on the left side of the button, it shows just the download count, and white space if I toggle it. If I click on the right side of the button, it shows a wide area including the download count and the left side of the green download button, and just the left side of your button if I toggle it.

    I’m on XPSP2 with Win2K-style windows; don’t know if that has any bearing on the issue.

    I also notice that ReCaptcha gives me several clickjacking warnings when I click on it. And I had to copy text to a textbox to use it.

  29. #29 Chuck Linart says:

    Thanks for this!

  30. #30 David Smith says:

    So what exactly does the "Keep this element locked" option do? The NoScript FAQ page and this completely fail to describe that option. For the record, I have NoScript applying its rules to trusted sites as well as untrusted ones, and I got this warning while trying to create a new tab (Ctrl-T) while using the Brief rss reader plugin.

    In addition, the reCAPTCHA block in the reply submission form gets blocked with my default NoScript settings. Manually loading it gives some message about a JavaScript-free version. Clicking on that panel generates a clickjacking warning.

  31. #31 Giorgio says:

    @David Smith et al:
    “Keep this element locked” does what it says, i.e. prevents free interaction with the element whose sight is “unclear”. If you uncheck that option, you can interact freely with that element.

    Some false positive triggered either by extensions which, like Brief, mix chrome and content in frames have already been fixed in latest versions.

    I’m currently analyzing the ReCaptcha issue, which seems caused by a rendering glitch (the images differ for the thickness of a couple lines only). The good thing of ClearClick, BTW, is that you can actually compare the top and the bottom of your click area by yourself (clicking on the image shown in the dialog) and decide if it’s a false positive or something you should be scared of with no need for specific technical knowledge.

  32. #32 txjeansguy says:

    Very impressive.

  33. #33 Ajaxian » This Week in HTML 5: Web Forms 2, Search, and more says:

    […] on you (via your webcam) without the usual warning dialogs; here’s Adobe’s response. NoScript now offers enhanced protection against some clickjacking attack […]

  34. #34 Ajax Girl » Blog Archive » This Week in HTML 5: Web Forms 2, Search, and more says:

    […] on you (via your webcam) without the usual warning dialogs; here’s Adobe’s response. NoScript now offers enhanced protection against some clickjacking attack […]

  35. #35 Protect yourself from Flash Player’s clickjacking vulnerability | Unit1's Blog says:

    […] [via Hackademix] […]

  36. #36 g says:

    Hi, thx, clearClick triggered lots of warnings using Evernote, but seems to work ok now, thx!
    =)

  37. #37 Javascript News » Blog Archive » This Week in HTML 5: Web Forms 2, Search, and more says:

    […] on you (via your webcam) without the usual warning dialogs; here’s Adobe’s response. NoScript now offers enhanced protection against some clickjacking attack […]

  38. #38 舞台很大 独有我表演 » 内容索引 » Hello ClearClick, Goodbye Clickjacking! - 舞台很大 独有我表演 says:

    […] 来源:hackademix.net […]

  39. #39 ossblog says:

    Utenti di Firefox al sicuro dal clickjacking grazie a NoScript

    Internet è un luogo insidioso e con gli strumenti sbagliati (qualcuno ha detto Internet Explorer 6?) rischia di trasformarsi in un vero inferno. Fortunatamente gli utenti dei principali sistemi operativi possono contare su Firefox e soprattutto su es…

  40. #40 wild bill says:

    Giorgio:

    the current version 1.8.2.8 slightly degrades the acid3 test score, why?

    I am using the Firefox 3.1 beta version available here: http://tinyurl.com/4rz2fn (win32 installer) that normally scores a 97 on acid3 with no script disabled or using earlier noscript versions from a week or so ago.

  41. #41 Clickjacking « KHERGE says:

    […] Here’s an excerpt from NoScript.net’s FAQ page: Default protections provided by NoScript, i.e. JavaScript and plugin blocking can prevent most clickjacking attacks. To be 100% protected against clickjacking, though, you should enable also Forbid <IFRAME> and possibly Apply these restrictions to trusted sites as well. While some users are confortable with these ultra-hardened settings, they can get cumbersome for others. Fortunately, since version 1.8.2 NoScript provides a new default kind of protection called ClearClick, which defeats clickjacking no matter if you block frames or not. […]

  42. #42 Plugin NoScript pour Firefox protège du clickjacking | lorteau.(net|fr) says:

    […] Source: changelog NoScript. Crédit screenshot : hackademix.net. […]

  43. #43 Tarmeez … ترميز » أرشيف المدونة » تغرة أمنية في مشغل الفلاش says:

    […] على فايرفوكس بإصدارها الأخير1.8.2.1 يحل المشكلة بطريقة ClearClick وهي ببساطة إظهار جميع الكائنات المخفية الموجدة في […]

  44. #44 NoScript a extensão para o Mozilla Firefox protege contra ‘clickjacking’ « O Vigia says:

    […] Fight CLICKJACKING Now! […]

  45. #45 wild bill says:

    acid3 problem is FIXED on version 1.8.3 woohoo!

    thanks, man

    you’re the best!

  46. #46 ClickJacking says:

    […] without you knowing (or a whole lot more likely clicking ad’s you didn’t want to!) ClearClick was said to kill clickjacking but sources say this isnt the case. This entry was posted in Java […]

  47. #47 Nessus says:

    Great extension. I have only one complain.
    Stop updating every day. It is annoying !!!
    Gather all fixes and/or futures an do it every 15-30 days.

    Gee men…!!!
    Every day that i open my browser NoScript is asking to Update.

  48. #48 NoScript protects from ClickJacking | Telecom News says:

    […] only a stop-gap measure and only addresses a small part of the issue.  NoScript in Firefox offers protection from clickjacking along with a host of other script-related issues.  If you’re a security professional and […]

  49. #49 arimfe says:

    #47 Nessus
    Each update is an improvement. And when it comes to security, I’m grateful for these numerous AND FAST improvements. The more the better.

  50. #50 Murphious says:

    I have used No-Script since Firefox, and love it…great to see improvement in an already excellent product.

  51. #51 sirdarckcat says:

    Video of presentation of ClickJacking at Owasp:
    http://video.google.com/videoplay?docid=-5747622209791380934&hl=en

    Whitepaper about clickjacking:
    http://www.sectheory.com/clickjacking.htm

    Techniques on how to make effective clickjacking attacks:
    http://sirdarckcat.blogspot.com/2008/10/about-css-attacks.html

    Greetz!!

  52. #52 hackademix.net » More Clickjacking says:

    […] protection, if you’re a Firefox/NoScript user you should already know about ClearClick. If you’re not, I feel a bit sorry for […]

  53. #53 Protect yourself from Flash Player’s clickjacking vulnerability - Technology Info says:

    […] [via Hackademix] […]

  54. #54 Protect yourself from Flash Player’s clickjacking vulnerability - The Blog says:

    […] [via Hackademix] […]

  55. #55 dai says:

    Yes, I just got that update!

    loved it and blogged it!!!

    http://ajabgajab.blogspot.com/2008/11/smarter-no-script-goodbye-clickjacking.html

  56. #56 Packets of Consciousness » Clearjacking: So How Fun is This, Now? says:

    […] man, come on, how great is Clearjacking? Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures […]

  57. #57 Firefox extension blocks dangerous Web attack | Semantic Web Reviews says:

    […] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning […]

  58. #58 Safe Firefox says:

    Thanks. NoScript is a wonderful addon.

  59. #59 André Engels says:

    Could I get some more explanation of what is actually going on? I sometimes get clickjacking warnings on a site I often visit. Where can I get more information on what is going on and what the hijacked link is, so that I can make the decision whether to allow or not based on facts rather than on my hunch that the site is bona fide or that if NoScript says it’s bad, it probably is.

  60. #60 Giorgio says:

    @Andrè Engels:
    The simplest thing you can do is comparing the two images taken by NoScript (the one obstructed and the one “revealed”) by clicking on the green-bordered box on the warning.
    If that seems a false positive, please try to install latest development build, and if the problem persists let me know where it happens.

  61. #61 NoScript ClearClick Warning For Wordpress.com Stats | Serial Box Crime says:

    […] have recently run into a problem which relates to a ClearClick Clickjack attempt warning when using Wordpress.com Stats with Wordpress 2.6.5 and I’ve been unable to find a […]

  62. #62 dan says:

    @Giorgio

    Thanks for the comment on my recent post about a possible false positive. I’ve posted the information to the forum with the screenshots. Please let me know if you need any other information.

  63. #63 kornykyano says:

    help…

    possible false positive???

    http://i38.tinypic.com/29kvyog.png

  64. #64 Read - Before you Click! | Th0R's Blog says:

    […] the considered #1 hack of 2008; named Clickjacking. It is said that in order to avoid Clickjacking, Firefox browser complete with its latest version of NoScript plugin is the only solution. Because in fact, Internet Explorer, the scapegoat of all browsers proven to provide more security […]

  65. #65 Friendster’s New Hobby: Downgrading Security! | Th0R's Blog says:

    […] - how sweet our internet nowadays! My suggestion, stop socializing! LoL (Just kidding). Just use NoScript it promise you the nearest-complete solution of browsing […]

  66. #66 hackademix.net » Introducing ABE says:

    […] XSS attacks; ClearClick, the only specific browser countermeasure currently available against ClickJacking/UI redressing attacks, and many other security enhancements, including a limited form of protection against […]

  67. #67 Jack says:

    Thanks to NoScript it blocked clickjacking attempts from maps.google.com.
    It also blocked XSS attacks.

  68. #68 Paranoia says:

    […] Hackademix […]

  69. #69 Heavy99 says:

    whats going on? it’s blocked

  70. #70 Foetus says:

    What kind of douchey word is "interwebs"?

  71. #71 Firefox Extension Blocks Dangerous Web Attack « gadgetcage says:

    […] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning […]

  72. #72 Dipl.-Inform. Carsten Eilers says:

    Clickjacking - Framebuster oder HTTP-Header verhindern Angriffe

    Wie Clickjacking
    allgemein
    funktioniert und
    welche Möglichkeiten
    es einem Angreifer bietet, haben Sie in den ersten beiden Folgen erfahren.
    Jetzt geht es um die Möglichkeiten, einen Clickjacking-Angriff zu
    verhindern bzw. abzuwehren.

  73. #73 hackademix.net » X-Frame-Options (Finally) on (Vanilla) Firefox says:

    […] year and half, now). Mostly as a point of pride, actually, than out of a true necessity, since the existent NoScript’s ClearClick module already provided a more complete and effective protection against all kinds of Clickjacking […]

  74. #74 על מה זה Clickjacking ("חטיפת קליקים") וההשפעה על המשתמשים – גם ב-Facebook | טכנולוגיה ואבטחת מידע מזווית אחרת says:

    […] לזהות מתקפות Clickjacking בעזרת טכנולוגיה שהם קוראים לה ClearClick, ולהתריע למשתמש ברגע שהוא מנסה ללחוץ על מקום מסוכן. […]

  75. #75 על מה זה Clickjacking ("חטיפת קליקים") וההשפעה על המשתמשים – גם ב-Facebook | LawTech says:

    […] לזהות מתקפות Clickjacking בעזרת טכנולוגיה שהם קוראים לה ClearClick, ולהתריע למשתמש ברגע שהוא מנסה ללחוץ על מקום מסוכן. […]

  76. #76 מה היא "חטיפת קליקים" (Clickjacking) בפייסבוק ואיך זה משפיע עליכם | Newsgeek says:

    […] לזהות מתקפות Clickjacking בעזרת טכנולוגיה שהם קוראים לה ClearClick, ולהתריע למשתמש ברגע שהוא מנסה ללחוץ על מקום מסוכן. […]

  77. #77 Block firefox site web says:

    […] Hackademix.net » Hello ClearClick, Goodbye Clickjacking! Oct 8, 2008. #11 Firefox Extension Blocks Dangerous Web Attack | WinSoftNews says:. Since I’ve had my own site hacked by Chineese hackers who put Hackademix.net » Hello ClearClick, Goodbye Clickjacking! […]

  78. #78 Asian ade | Trelittle says:

    […] hackademix.net » Hello ClearClick, Goodbye Clickjacking!Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings. … The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, … I do not need to change my button yet, […]

  79. #79 How to protect yourself from clickjacking | Daves Computer Tips says:

    […] it and No Script will let the features work. The latest version of NoScript has a feature called ClearClick that you can read about here. I don’t surf without it, and you shouldn’t […]

Bad Behavior has blocked 3590 access attempts in the last 7 days.