October 8th, 2008
“Clickjacking” Details Emerge
By Michael Santo
Editor-in-Chief, RealTechNews
I wrote about “clickjacking” earlier. While the discoverers had promised to remain mum because the flaw affected an Adobe product (which turned out to be Flash), on Tuesday Israeli researcher Guy Aharonovsky posted a proof-of-concept (PoC) of clickjacking and Flash. Since the cat was already out-of-the-bag, Adobe told the researchers (Robert Hansen and Jeremiah Grossman) to go for it.
Aharonovsky’s demonstration used clickjacking tactics to reset Adobe’s Flash privacy settings, and turn on the computer’s webcam and microphone for remote spying. Serious stuff.
Adobe’s already posted an advisory for the issue, though, with a workaround, while promisiing a fix before the end of October.
To prevent this potential issue, customers can change their Flash Player settings as follows:
- Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
- Select the “Always deny” button.
- Select ‘Confirm’ in the resulting dialog.
- Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.
Hansen has posted a list of 12 different clickjacking scenarios on his blog. He poked at Aharonovsky somewhat, saying the PoC was a “careless disclosure.” He also said:
First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some require JavaScript, some don’t. Some variants use CSRF to pre-load data in forms, some don’t. Clickjacking does not cover any one of these use cases, but rather all of them. That’s why we had to come up with a new term for it - like the term or not.
Only two of the scenarios have been fixed so far. As I indicated earlier, however, users of Firefox can use the NoScript extension as protection. And the latest releases of the product now include a new feature: ClearClick anti-Clickjacking technology which disables user interaction with partially obstructed or not clearly visible embedded objects.
As I said earlier, it’s not an extension I’d ask the general public to use, but for those who are willing to put up with the extra work, it’s great protection, until the browser developers come up with a proper fix.
LZW says:
Why does Adobe ship Flash! with the default settings for the mic and web cam to be on?
It’s like Internet Explorer use to come with all possible security exploits switched on by default.
October 8th, 2008 at 10:48 pm
81lcd says:
liquid crystal materials
October 8th, 2008 at 11:44 pm
Kevin K. says:
I want to know why you have to go to a web address at Adobe in order to set these preferences in the first place!
Why is this not a setting in Windows Control Panel or an executable on the client you can start and configure?
Why does Flash even do this?
Deny! Deny! Deny!
October 9th, 2008 at 7:27 am
LZW says:
I figure they must make you goto the web as a way to track users… Since microsoft started to bundle Flash! with Windows, the only other way they have to track users is when they update Flash! (for most people, that’s the first Flash! site they visit since the version in Windows is almost always out of date)
October 9th, 2008 at 4:44 pm