Last week a couple of interesting and novel Clickjacking techniques have been published:

  1. Cross-domain content extraction via framed view-source
  2. Double-clickjacking (or, as I prefer to call it, Rapid fire cross-site interaction)

Both involve a tiny amount of social engineering (#2 requires JavaScript, too), but as you can see they are totally feasible.

Needless to say, recent NoScript versions neutralize them no matter if JavaScript is enabled or not, thanks to specific enhancements in NoScript's unique anti-Clickjacking protection module, ClearClick.

3 Responses to “Fancy Clickjacking, Tougher NoScript”

  1. #1 Krzysztof Kotowicz says:

    Yay :) Congratulations on fast patches - NoScript really is a 0-day-style security tool :) If only Firefox would disallow framed view-source: in the first place...

  2. #2 tommy says:

    Or, one could defeat #2 by avoiding obviously risky sites and protocols like Facebook, Twitter, and OAuth. But they won't.

    Otherwise, what KK said.

    btw, should I be worried that I have to allow an iFrame recaptcha to post here? And copy/paste text from it into a box? ;)

  3. #3 Basti says:

    Nice work. In case you're wondering about a "clickjacking report" on one of the demos kindly provided by Krzysztof Kotowicz, that was me. I loaded the page and disabled the protection. The warning came up and I clicked the button right to "OK" as I assumed it would be "Cancel".

    FF security is much greater with NoScript.

Bad Behavior has blocked 729 access attempts in the last 7 days.