As you probably know, ClearClick is the only effective client-side protection against Clickjacking (AKA UI Redressing).

A couple of weeks ago, Atul Agarwal of Secfence privately reported me a ClearClick bypass based on tracking user's mouse movements and dynamically putting an extremely small click target just under his pointer. Even though it required the attacker's page to be whitelisted and run JavaScript, I deemed this bug deserved to be fixed ASAP because ClearClick, like most web application security countermeasures offered by NoScript (e.g. anti-XSS, ABE or HTTPS enforcement) is guaranteed to work independently from script permissions, i.e. even if you allow scripts globally. Atul kindly accepted to coordinate the disclosure, so I immediately released the development build with the bug fix, and all the user base was automatically updated with the stable release about one week later.

BTW, looks like Sophos likes ClearClick and dirty female teachers very much :)

3 Responses to “ClearClick News”

  1. #1 PJ says:

    I'm trying to post on but everytime I press submit I get a strange picture of Sylvester Stallone??
    What's up with that?

  2. #2 Abbas Zaidi says:

    Does ClearClick only work on Firefox? Any intentions for a Chrome release, or is Chrome already safe in this regard? I don't believe that to be the case, so how come there's no mention of Chrome anywhere?

  3. #3 Giorgio says:

    @Abbas Zaidi:
    There's no porting to Chrome, because Chrome is still too limited in its extensions API.
    And no, Chrome is not safe in this regard, and I guess there's no mention beside Firefox not to embarass the other browser vendors ;)

Bad Behavior has blocked 729 access attempts in the last 7 days.