Clickjacking - It Can Hit Any Browser
The latest Internet threat is called “clickjacking.”
Clickjacking affects anyone who surfs the Internet.
What happens is that you click on a supposedly safe web page, but you are duped into revealing confidential information. A clickjacking attack can be used to take control of a computer’s webcam and microphone without the knowledge of the user, or it can exploit the computer in other ways. What happens is that there is a malicious page “behind” the seemingly safe page. ZDnet explains it as:
In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.
Here’s a video of a demo that shows what clickjacking does:
Adobe Has Issued a Workaround
As you can see from the demo, there’s a page behind the “clickjacking” front page that exploits your Adobe Flash Player. This “underlying page” is not revealed to you, the clicker, so without your knowledge, whatever you do on the page that you see might be transferred to the hidden page. Adobe announced a workaround for its Flash Player’s vulnerability that was released on October 7. See: Adobe - Clickjacking Workaround
Browser Vulnerabilities and Plugins
Clickjacking is a cross-browser threat, so no matter what you’re using, you are vulnerable.
Personally, I’m a Firefox fan because it seems to be the most secure, and it’s certainly a fast and efficient program. There’s a plug-in called “No Script” available for Firefox to protect its users from clickjacking. It’s very easy to install. Just follow these steps:
- Go to NoScript’s web page.
- Click the DOWNLOAD button - it’s in the upper left corner, directly under the NoScript icon shown in this blog entry.
- Click INSTALL NOW and follow the prompts.
- Firefox will need to close the browser windows to add the plug-in.
When everything has installed, you will see a bar on the bottom of your browser window. This bar has an “options” menu that lets you whitelist certain sites like this one that have YouTube videos on them or Scoutle stages. For WordPress bloggers, I noticed that I had to whitelist the site in order to view the “visual” mode of the blog instead of the “html” mode when writing.
Once installed, you might find that you need to install an Adobe Flash Player plugin (just follow the prompts that show up) if you want to watch YouTube videos. For the non-technical people, there’s an excellent video that explains how to install NoScript and how you can configure it:
As the video suggests, please give the developers a donation!
For now, I have not been able to find anything specifically addressing clickjacking vulnerabilities in Microsoft’s Internet Explorer and how to fix them. Here’s a pretty good article that will tell you what, if anything, you can do to protect yourself from clickjacking if you use browsers other than Firefox. If you know of something that will specifically work with Internet Explorer, Chrome or some of the others, please add it to the comments below.
As your best alternative, download and start using Firefox. It’s an excellent program and free of charge.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
