Hello ClearClick, Goodbye Clickjacking!
Posted by: Giorgio in Clickjacking, Flash, Mozilla, Security, NoScriptFinally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.
The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals you the real thing in "clear". At that point you can evaluate if the click target was actually the intended one, and decide if keeping it locked or unlock it for free interaction. This comes quite handy now that more dangerous usages of clickjacking are being disclosed, such as enabling your microphone or your webcam behind your back to spy you through the interwebs.
As you already know if you read my first clickjacking article, an old and benign clickjacking example is NoScript's "Install Now" orange button, which overlays the green one on addons.mozilla.org to work-around the installation security warning. If you click it with ClearClick enabled, now you get warned about something sneaky going on.

I do not need to change my button yet, because NoScript 1.8.2.1 ships with ClearClick enabled on untrusted (non whitelisted) parent pages only, while the whitelist status of the embedding is irrelevant. This gives a good balance between effectiveness and usability, since the attacker in a clickjacking attack is always the parent. If you want to get the warning on noscript.net and on the other sites you trust, you need to flag the second checkbox on NoScript Options|Plugins|ClearClick protection on pages... [x] untrusted [x] trusted. I recommend to flag it anyway and report any usability issue, because this feature so far seems quiet and unobtrusive enough to justify my temptation of enabling everywhere (trusted + untrusted) by default on next stable release, but it must get a lot of testing from you first.
Update
NoScript 1.8.4 and above ship with ClearClick enabled on both untrusted and trusted sites. It works everywhere, even if you've got scripts globally allowed. And yes, at that point I had to change noscript.net install button, therefore if you want a PoC you need to look elsewhere.
Other clickjacking-related features included in this release are:
- Opaque embedded objects: plugin content and frames are forcibly made opaque and get styled with "overflow: auto" (i.e. get scrollbars if their inner size exceed their viewport) on untrusted pages.
- Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a "frame busting" script similar to
<script>if (top != self) top.location = location</script>
, the intention of the page author is honored by NoScript, i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference.
- Some usability and effectiveness improvements in frame management, making the Forbid IFRAMEs option more suitable for general usage.
I hope to find some time during this week to write another post, diving through the technical details behind my ClearClick implementation: a fairy tale about a very simple and hopeful idea (unconventional <canvas> usage) fighting against an army of quirks and mundane details. In the meanwhile, many thanks to Sirdarckcat, RSnake, Michal Zalewski and Matt Mastracci for discussion, testing and inspiration.
October 8th, 2008 at 1:01 am
[...] If you did not yet, you should upgrade to NoScript 1.8.2.1 or above, for the reasons explained here. [...]
October 8th, 2008 at 1:02 am
[...] and Other Browsers (IE, Safari, Chrome, Opera) Hello ClearClick, Goodbye Clickjacking! 02 10 [...]
October 8th, 2008 at 3:22 am
s/beetween/between/ in the dialog.
October 8th, 2008 at 4:16 am
[...] And since prevention is better than the cure -- at least in the short term -- the just released NoScript v1.8.2.1 aims to prove exactly the same with its ClearClick feature : "The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, [...]
October 8th, 2008 at 7:53 am
[...] Hello ClearClick, Goodbye Clickjacking! 2008/10/08 13:53 | 鬼仔 | 乱七八糟 | 占个座先 来源:hackademix.net [...]
October 8th, 2008 at 8:39 am
@Nick:
thanks, it's not the only typo in this release. Translators notified some more, they are all fixed in current trunk.
October 8th, 2008 at 10:11 am
[...] isn’t that high at the moment. Vendors have started recognising the threat and coming up with solutions for dealing with it. Adobe has come up with a workaround and NoScript has released ClearClick to [...]
October 8th, 2008 at 12:06 pm
hackademix.net » Hello ClearClick, Goodbye Clickjacking!
Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings.
October 8th, 2008 at 1:49 pm
I just want to thank you very much for creating NoScript.
It's the only add-on I installed in Firefox, and it's probably in my top 5 of free software I'm using. Thank you!
October 8th, 2008 at 2:19 pm
Hi,
I noticed a problem with clearclick enabled for trusted sites.
The map on the left side of
http://www.call-a-pizza.de/bestellen/deutschland
is no longer clickable with ClearClick enabled for trusted sites (the site is temp. trusted by me)
October 8th, 2008 at 2:49 pm
[...] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning [...]
October 8th, 2008 at 3:23 pm
[...] schafft wieder einmal die Erweiterung NoScript, die solche Attacken in der neuesten Version erkennt (im Laufe des Tages sollte hoffentlich auch die deutsche Übersetzung die neue Version [...]
October 8th, 2008 at 3:25 pm
Thank you from an MVP who prefers Firefox with NoScript. ;)
October 8th, 2008 at 4:02 pm
[...] Hello ClearClick, Goodbye Clickjacking! [...]
October 8th, 2008 at 4:48 pm
[...] only a stop-gap measure and only addresses a small part of the issue. NoScript in Firefox offers protection from clickjacking along with a host of other script-related issues. If you’re a security professional and [...]
October 8th, 2008 at 5:03 pm
[...] spys on you (via your webcam) without the usual warning dialogs; here's Adobe's response. NoScript now offers enhanced protection against some clickjacking attack [...]
October 8th, 2008 at 7:27 pm
[...] Vía | Hackademix [...]
October 8th, 2008 at 9:15 pm
[...] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning [...]
October 8th, 2008 at 10:17 pm
NoScript is awesomely useful as ever, but I’ve found a case where ClearClick gets in the way of normal use: Gmane! (yes, I have toggled on apply to trusted sites)
Try putting the focus in the message pane to scroll, ClearClick alerts you.
http://thread.gmane.org/gmane.comp.php.devel/47609
October 9th, 2008 at 3:07 am
[...] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning [...]
October 9th, 2008 at 5:49 am
[...] because it’s subtle and, until recently, undetectable by most users. The attack is known as Clickjacking, and it involves legitimate web pages that have been hacked to include hidden links leading to [...]
October 9th, 2008 at 9:15 am
[...] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning [...]
October 9th, 2008 at 4:12 pm
[...] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning [...]
October 9th, 2008 at 5:04 pm
[...] Статья о clickjacking на сайте hackademix.net [...]
October 9th, 2008 at 11:24 pm
[...] Maone, creator of the popular NoScript extension for Firefox and other Gecko-based browsers, released version 1.8.2.1 of NoScript, which adds ‘ClearClick,’ a feature that intercepts clicks made on [...]
October 10th, 2008 at 5:11 am
I notice that the default setting for NoScript's ClearClick feature only activates it for untrusted sites. Since I've had my own site hacked by Chineese hackers who put iframes on it, I think it might be best to also activate it for trusted sites, which is an option.
October 10th, 2008 at 3:27 pm
There's an incompatibility between ClearClick and NewsFox (as version 1.0.3.1 with NoScript up-to-date). It detects when you clic on a website inside de feed reader as a clickjacking. I didn't know where to put bug reports, so here it is.
October 10th, 2008 at 6:14 pm
I just installed 1.8.2.2, and decided to test it on the example you gave. If I click on the left side of the button, it shows just the download count, and white space if I toggle it. If I click on the right side of the button, it shows a wide area including the download count and the left side of the green download button, and just the left side of your button if I toggle it.
I'm on XPSP2 with Win2K-style windows; don't know if that has any bearing on the issue.
I also notice that ReCaptcha gives me several clickjacking warnings when I click on it. And I had to copy text to a textbox to use it.
October 10th, 2008 at 6:21 pm
Thanks for this!
October 11th, 2008 at 1:45 am
So what exactly does the "Keep this element locked" option do? The NoScript FAQ page and this completely fail to describe that option. For the record, I have NoScript applying its rules to trusted sites as well as untrusted ones, and I got this warning while trying to create a new tab (Ctrl-T) while using the Brief rss reader plugin.
In addition, the reCAPTCHA block in the reply submission form gets blocked with my default NoScript settings. Manually loading it gives some message about a JavaScript-free version. Clicking on that panel generates a clickjacking warning.
October 11th, 2008 at 2:20 am
@David Smith et al:
"Keep this element locked" does what it says, i.e. prevents free interaction with the element whose sight is "unclear". If you uncheck that option, you can interact freely with that element.
Some false positive triggered either by extensions which, like Brief, mix chrome and content in frames have already been fixed in latest versions.
I'm currently analyzing the ReCaptcha issue, which seems caused by a rendering glitch (the images differ for the thickness of a couple lines only). The good thing of ClearClick, BTW, is that you can actually compare the top and the bottom of your click area by yourself (clicking on the image shown in the dialog) and decide if it's a false positive or something you should be scared of with no need for specific technical knowledge.
October 11th, 2008 at 5:37 am
Very impressive.
October 11th, 2008 at 7:43 am
[...] on you (via your webcam) without the usual warning dialogs; here’s Adobe’s response. NoScript now offers enhanced protection against some clickjacking attack [...]
October 11th, 2008 at 8:58 am
[...] on you (via your webcam) without the usual warning dialogs; here’s Adobe’s response. NoScript now offers enhanced protection against some clickjacking attack [...]
October 11th, 2008 at 5:14 pm
[...] [via Hackademix] [...]
October 11th, 2008 at 5:21 pm
Hi, thx, clearClick triggered lots of warnings using Evernote, but seems to work ok now, thx!
=)
October 12th, 2008 at 4:04 am
[...] on you (via your webcam) without the usual warning dialogs; here’s Adobe’s response. NoScript now offers enhanced protection against some clickjacking attack [...]
October 12th, 2008 at 1:16 pm
[...] 来源:hackademix.net [...]
October 13th, 2008 at 2:53 pm
Utenti di Firefox al sicuro dal clickjacking grazie a NoScript
Internet è un luogo insidioso e con gli strumenti sbagliati (qualcuno ha detto Internet Explorer 6?) rischia di trasformarsi in un vero inferno. Fortunatamente gli utenti dei principali sistemi operativi possono contare su Firefox e soprattutto su es...
October 13th, 2008 at 4:48 pm
Giorgio:
the current version 1.8.2.8 slightly degrades the acid3 test score, why?
I am using the Firefox 3.1 beta version available here: http://tinyurl.com/4rz2fn (win32 installer) that normally scores a 97 on acid3 with no script disabled or using earlier noscript versions from a week or so ago.
October 13th, 2008 at 5:33 pm
[...] Here’s an excerpt from NoScript.net’s FAQ page: Default protections provided by NoScript, i.e. JavaScript and plugin blocking can prevent most clickjacking attacks. To be 100% protected against clickjacking, though, you should enable also Forbid <IFRAME> and possibly Apply these restrictions to trusted sites as well. While some users are confortable with these ultra-hardened settings, they can get cumbersome for others. Fortunately, since version 1.8.2 NoScript provides a new default kind of protection called ClearClick, which defeats clickjacking no matter if you block frames or not. [...]
October 14th, 2008 at 8:43 am
[...] Source: changelog NoScript. Crédit screenshot : hackademix.net. [...]
October 14th, 2008 at 8:10 pm
[...] على فايرفوكس بإصدارها الأخير1.8.2.1 يحل المشكلة بطريقة ClearClick وهي ببساطة إظهار جميع الكائنات المخفية الموجدة في [...]
October 16th, 2008 at 5:36 am
[...] Fight CLICKJACKING Now! [...]
October 17th, 2008 at 8:16 pm
acid3 problem is FIXED on version 1.8.3 woohoo!
thanks, man
you're the best!
October 18th, 2008 at 6:39 pm
[...] without you knowing (or a whole lot more likely clicking ad’s you didn’t want to!) ClearClick was said to kill clickjacking but sources say this isnt the case. This entry was posted in Java [...]
October 20th, 2008 at 1:16 am
Great extension. I have only one complain.
Stop updating every day. It is annoying !!!
Gather all fixes and/or futures an do it every 15-30 days.
Gee men...!!!
Every day that i open my browser NoScript is asking to Update.
October 21st, 2008 at 12:07 pm
[...] only a stop-gap measure and only addresses a small part of the issue. NoScript in Firefox offers protection from clickjacking along with a host of other script-related issues. If you’re a security professional and [...]
October 24th, 2008 at 9:23 pm
#47 Nessus
Each update is an improvement. And when it comes to security, I'm grateful for these numerous AND FAST improvements. The more the better.
October 25th, 2008 at 5:06 pm
I have used No-Script since Firefox, and love it...great to see improvement in an already excellent product.
October 26th, 2008 at 12:20 am
Video of presentation of ClickJacking at Owasp:
http://video.google.com/videoplay?docid=-5747622209791380934&hl=en
Whitepaper about clickjacking:
http://www.sectheory.com/clickjacking.htm
Techniques on how to make effective clickjacking attacks:
http://sirdarckcat.blogspot.com/2008/10/about-css-attacks.html
Greetz!!
October 26th, 2008 at 10:26 am
[...] protection, if you’re a Firefox/NoScript user you should already know about ClearClick. If you’re not, I feel a bit sorry for [...]
October 28th, 2008 at 3:20 am
[...] [via Hackademix] [...]
November 1st, 2008 at 7:43 am
[...] [via Hackademix] [...]
November 16th, 2008 at 6:57 pm
Yes, I just got that update!
loved it and blogged it!!!
http://ajabgajab.blogspot.com/2008/11/smarter-no-script-goodbye-clickjacking.html
November 17th, 2008 at 12:29 am
[...] man, come on, how great is Clearjacking? Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures [...]
November 18th, 2008 at 1:29 am
[...] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning [...]
November 23rd, 2008 at 6:50 am
Thanks. NoScript is a wonderful addon.
November 24th, 2008 at 9:35 pm
Could I get some more explanation of what is actually going on? I sometimes get clickjacking warnings on a site I often visit. Where can I get more information on what is going on and what the hijacked link is, so that I can make the decision whether to allow or not based on facts rather than on my hunch that the site is bona fide or that if NoScript says it's bad, it probably is.
November 24th, 2008 at 10:19 pm
@Andrè Engels:
The simplest thing you can do is comparing the two images taken by NoScript (the one obstructed and the one "revealed") by clicking on the green-bordered box on the warning.
If that seems a false positive, please try to install latest development build, and if the problem persists let me know where it happens.
December 3rd, 2008 at 8:26 pm
[...] have recently run into a problem which relates to a ClearClick Clickjack attempt warning when using Wordpress.com Stats with Wordpress 2.6.5 and I’ve been unable to find a [...]
December 3rd, 2008 at 9:35 pm
@Giorgio
Thanks for the comment on my recent post about a possible false positive. I've posted the information to the forum with the screenshots. Please let me know if you need any other information.
December 7th, 2008 at 8:07 pm
help...
possible false positive???
http://i38.tinypic.com/29kvyog.png
December 11th, 2008 at 12:04 am
[...] the considered #1 hack of 2008; named Clickjacking. It is said that in order to avoid Clickjacking, Firefox browser complete with its latest version of NoScript plugin is the only solution. Because in fact, Internet Explorer, the scapegoat of all browsers proven to provide more security [...]
December 14th, 2008 at 12:49 pm
[...] - how sweet our internet nowadays! My suggestion, stop socializing! LoL (Just kidding). Just use NoScript it promise you the nearest-complete solution of browsing [...]
December 20th, 2008 at 2:27 am
[...] XSS attacks; ClearClick, the only specific browser countermeasure currently available against ClickJacking/UI redressing attacks, and many other security enhancements, including a limited form of protection against [...]
December 23rd, 2008 at 10:30 pm
Thanks to NoScript it blocked clickjacking attempts from maps.google.com.
It also blocked XSS attacks.
July 1st, 2009 at 9:46 am
[...] Hackademix [...]
December 24th, 2009 at 4:16 am
whats going on? it's blocked
January 9th, 2010 at 5:37 pm
What kind of douchey word is "interwebs"?
March 27th, 2010 at 2:42 pm
[...] new improvement to NoScript, called ClearClick, can detect if there is a hidden, embedded element within the Web page. It then displays a warning [...]
May 27th, 2010 at 9:13 am
Clickjacking - Framebuster oder HTTP-Header verhindern Angriffe
Wie Clickjacking
allgemein
funktioniert und
welche Möglichkeiten
es einem Angreifer bietet, haben Sie in den ersten beiden Folgen erfahren.
Jetzt geht es um die Möglichkeiten, einen Clickjacking-Angriff zu
verhindern bzw. abzuwehren.
August 31st, 2010 at 12:33 am
[...] year and half, now). Mostly as a point of pride, actually, than out of a true necessity, since the existent NoScript’s ClearClick module already provided a more complete and effective protection against all kinds of Clickjacking [...]
September 15th, 2010 at 1:38 pm
[...] לזהות מתקפות Clickjacking בעזרת טכנולוגיה שהם קוראים לה ClearClick, ולהתריע למשתמש ברגע שהוא מנסה ללחוץ על מקום מסוכן. [...]
September 15th, 2010 at 10:32 pm
[...] לזהות מתקפות Clickjacking בעזרת טכנולוגיה שהם קוראים לה ClearClick, ולהתריע למשתמש ברגע שהוא מנסה ללחוץ על מקום מסוכן. [...]
September 19th, 2010 at 9:07 am
[...] לזהות מתקפות Clickjacking בעזרת טכנולוגיה שהם קוראים לה ClearClick, ולהתריע למשתמש ברגע שהוא מנסה ללחוץ על מקום מסוכן. [...]
December 18th, 2010 at 7:46 am
[...] Hackademix.net » Hello ClearClick, Goodbye Clickjacking! Oct 8, 2008. #11 Firefox Extension Blocks Dangerous Web Attack | WinSoftNews says:. Since I've had my own site hacked by Chineese hackers who put Hackademix.net » Hello ClearClick, Goodbye Clickjacking! [...]
March 5th, 2011 at 10:34 pm
[...] hackademix.net » Hello ClearClick, Goodbye Clickjacking!Finally NoScript 1.8.2.1 is out, featuring the announced new anti-clickjacking countermeasures enabled by default, independent from IFRAME and plugin content blocking settings. … The most specific and ambitious is called ClearClick: whenever you click or otherwise interact, … I do not need to change my button yet, [...]
August 16th, 2011 at 2:22 am
[...] it and No Script will let the features work. The latest version of NoScript has a feature called ClearClick that you can read about here. I don't surf without it, and you shouldn't [...]