Archive for February 12th, 2011

As you probably know, ClearClick is the only effective client-side protection against Clickjacking (AKA UI Redressing).

A couple of weeks ago, Atul Agarwal of Secfence privately reported me a ClearClick bypass based on tracking user’s mouse movements and dynamically putting an extremely small click target just under his pointer. Even though it required the attacker’s page to be whitelisted and run JavaScript, I deemed this bug deserved to be fixed ASAP because ClearClick, like most web application security countermeasures offered by NoScript (e.g. anti-XSS, ABE or HTTPS enforcement) is guaranteed to work independently from script permissions, i.e. even if you allow scripts globally. Atul kindly accepted to coordinate the disclosure, so I immediately released the 2.0.9.7rc1 development build with the bug fix, and all the user base was automatically updated with the stable 2.0.9.7 release about one week later.

BTW, looks like Sophos likes ClearClick and dirty female teachers very much :)

NoScript is (again) finalist for Best Security/Privacy Add-On at About.com, show it your love here (you’ll need to temporarily allow about.com).

Thank you!

Bad Behavior has blocked 7476 access attempts in the last 7 days.