11
07
2011
Fancy Clickjacking, Tougher NoScript
Posted by: Giorgio in Clickjacking, Mozilla, Security, NoScriptLast week a couple of interesting and novel Clickjacking techniques have been published:
- Cross-domain content extraction via framed view-source
- Double-clickjacking (or, as I prefer to call it, Rapid fire cross-site interaction)
Both involve a tiny amount of social engineering (#2 requires JavaScript, too), but as you can see they are totally feasible.
Needless to say, recent NoScript versions neutralize them no matter if JavaScript is enabled or not, thanks to specific enhancements in NoScript's unique anti-Clickjacking protection module, ClearClick.
July 11th, 2011 at 4:23 pm
Yay :) Congratulations on fast patches - NoScript really is a 0-day-style security tool :) If only Firefox would disallow framed view-source: in the first place...
July 12th, 2011 at 8:31 am
Or, one could defeat #2 by avoiding obviously risky sites and protocols like Facebook, Twitter, and OAuth. But they won't.
Otherwise, what KK said.
btw, should I be worried that I have to allow an iFrame recaptcha to post here? And copy/paste text from it into a box? ;)
July 12th, 2011 at 7:20 pm
Nice work. In case you're wondering about a "clickjacking report" on one of the demos kindly provided by Krzysztof Kotowicz, that was me. I loaded the page and disabled the protection. The warning came up and I clicked the button right to "OK" as I assumed it would be "Cancel".
FF security is much greater with NoScript.