Archive for January 31st, 2009

Thanks to IE8's touted Clickjacking protection which will work on those pages whose authors decide to adopt the new proprietary X-FRAME-OPTIONS header (now cross-browser), the buzz about this topic has been raising again. Unluckily, Clickjacking (or more precisely, talking about IE8's mitigations, "frame-based UI Redressing") is not well understood enough yet for the "technical" press to spare us some frankly embarrassing articles:

And so on...
Even Heise Security fell in this trap, sigh. The mood of most of these "reports" is, more or less,

Look ma, there's this Clickjacking PoC which works in Chrome and Firefox, but is defeated in IE8, which has Clickjacking ProtectionTM. Did you see? IE is the most secure browser of the pack, OMGROTFLMAO!!!

Now, I know the ones to really blame and bash here are this so called "security firm" looking for (and finding) free advertisement by exploiting the security buzzword of the day, and the "security researcher" Aditya K. Sood. But why did nobody of these journalists and bloggers try to verify Secniche's claims (and orthography)?

Clickjacking is a malicious software form that can seemingly take control of the links that an Internet browser displays for various Web pages. Once that takes place, and once a user tries to lick (sic!) on that link, the user is taken to a site that is unintended. In some cases, the user may be able to recognize this immediately; in other cases, the user may be totally unaware of what took place.Once an infected ad has been loaded into your browser, your clipboard (where you copy and paste text) becomes overwritten with a URL.

A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another functionThe exploit may also take over your browser and visit links without you knowing.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page.

The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

Well, by these standards (and grammar and syntax), hereby I disclose my sensational "Clickjacking PoC" which works everywhere, even against IE8 RC1:

Clickjack The Target (http://www.yahoo.com) : (http://evil.hackademix.net)

Even better, mine is just 188 characters long, i.e. 1/3 of the one by Secniche:

<a href="http://yahoo.com"
onclick="location='http://evil.hackademix.net/images/stallowned.jpg';return false"
>Clickjack The Target (http://www.yahoo.com) : (http://evil.hackademix.net)</a>

Unfortunately, like I told Heise guys (who honestly rectified their article):

that's not Clickjacking by any stretch of imagination, and hardly malicious: you just get on a "surprise" destination, but nothing more since it can't do any of the cross-site evils (e.g. bypassing CSRF protection) of the real thing.

Or, quoting Michał Zalewski's answer to Mr. Sood on BugTraq:

1) It is by now well-understood that because of the inherent and broadly depended on properties of HTML, every sufficiently featured browser is and likely will remain susceptible to the behavior known as clickjacking. A more thorough analysis, also covering Chrome, is provided here:

http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing)

2) To my best knowledge, the proof of concept provided in your post, where a same-origin <div> follows a mouse pointer, is not a valid demonstration of the issue at hand.

Nor is mine, of course: LickJacking, maybe ;)

Talking about rectifications, Security Watch's apology of Microsoft's take on Clickjacking protection, while defending X-FRAME-OPTIONS against the general skepticism from security experts, emphatically warned twice that "NoScript won't protect you". Larry Seltzer's premise, "JavaScript is not required for the attack" was obviously correct, but unfortunately for him (and fortunately for Firefox users), NoScript doesn't rely on script blocking to defeat the attack. He had apparently never heard about ClearClick, the specific anti-Clickjacking protection provided by NoScript, which is extremely effective even if JavaScript is enabled (or the attack is scriptless). Ironically, ClearClick is also the only available implementation of Michał Zalewski's "favorite solution", which his article even tries to explain.

However, as soon as I managed to tell him about his mistake (after working around the unbelievable suckiness of PCMag's spam filters, which coughed on any sentence of medium complexity and even on the word "google"), Larry demonstrated solid deontology. He honestly admitted to have been misled by an ancient post by RSnake, which actually reported that older NoScript versions could be circumvented by some Clickjacking setups, while more recent (ClearClick enabled) versions are effectively protected. Larry, I did appreciate that, and I'm sorry I couldn't post not even a simple "thanks" as a comment on your Security Watch blog (danx? th3nx? 10x?)

Just googled for Vista TCP Limit on behalf of FlashGot user.
The first 500 results at least are all reported as malicious sites, including the top two, Softpedia and MSFN.
Luckily enough for P2P addicts, Firefox's Safe Browsing -- even if backed by Google's data -- doesn't seem to agree ;)

Update Sat Jan 31 2009 16:32:50 GMT+0100

Looks like it was a more general Google bug, fixed now.

Bad Behavior has blocked 3282 access attempts in the last 7 days.