back to article Adobe yanks speech exposing critical 'clickjacking' vulns

In another event for the "internet is broken" files, two prominent security researchers have pulled a scheduled talk that was to demonstrate critical holes affecting anyone who uses a browser to surf the web. Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities …

COMMENTS

This topic is closed for new posts.
  1. Charles

    Exploit of basic JavaScript?

    I would imagine, since it involves most browsers, that it must involve something common between them. If it's tricky to solve, then it probably involves a basic function, such that crippling it would result in collateral damage. I once recall a simple JavaScript function that allowed one to post arbitrary text to the status line. Combined with an onMouseOver event you can create a false address that can't be detected unless one had the gall to look at source code.

    Then again, this exploit may be similar but different, but it must use a common link to affect so many browsers.

  2. Paul Fleetwood
    Unhappy

    Does this mean everyone should install NoScript for the time being, at least?

    Even though it does sort of ruin the internet?

  3. Flocke Kroes Silver badge
    Boffin

    Scripting and plug-ins not required

    Had scripting turned off for years, and never downloaded any plugins, so perhaps I do not know what I am missing.

    The new-look reg makes the basic mistake: change the foreground colour to black, but leave my choice of a dark background in the textbox. As a result I am trying Lynx today.

    So far, so good. I think I will keep it as it is far faster, and I always get may choice of colours.

  4. Petrea Mitchell
    Boffin

    Choices, choices...

    "In the meantime, those who want to protect themselves against this vulnerability will have to disable scripting and all browser plugins."

    Suppose you disable scripting with a plugin, like NoScript?

  5. Solomon Grundy

    Geeks

    Damn geeks. They've screwed up everything. They can't even get something as simple as the Internet right. No wonder 70% of financial application are still coded in COBOL and don't use the Internet as their primary avenue of communications.

    However, this is most certainly a "man trying to keep information out" or whatever. Everybody screams for silence when it's their product that's vulnerable - but they want full disclosure when it's someone elses problem. Gay. It's all gay.

  6. Anonymous Coward
    Anonymous Coward

    I bet £0.01

    on eval();

  7. Nick L

    onclick ?

    Is this actually anything cleverer than <a href="goodsite.com" onclick="location.href=http://dodgysite.biz">Please enter your password</a>

    ?

  8. BlueGreen

    Simple solution that will never be followed

    Don't do stupid, clever things with websites[*]. KISS. No flash, no silverlight, no javascript, no nuffink. But that's not going to happen when people who commission get seduced by glitter.

    I always use noscript but for the absolute unavoidable minimum, and those that for some reason require scripting run in a VM now.

    [*] or any tool.

  9. Gordon Fecyk
    Stop

    How to prevent webcam monitoring: Unplug the thing, duh

    In another day for the "Dan Goodin is Paranoid" department, the celebrated El Reg author once again overlooks the obvious when explaining a computer security vulnerability.

  10. Anonymous Coward
    Anonymous Coward

    disable scripting and all browser plugins..

    ..and the problem is?

  11. jubtastic1
    Pirate

    He'll save every one of us!

    Open fire - all weapons, Despatch war rocket Ajax to bring back his body.

  12. Jodo Kast
    Joke

    Ya know...

    I liked it better before everyone knew about this...

    Cuz nothing beats watching Webcams when no one knows your watching... and listening.

  13. Claire Rand
    Stop

    standards... & javascript

    I guess the reason disabling javascript can play havok with some sites is a half hearted desire to make people keep javascript turned on.. e.g. doing hyperlinks with javascript as opposed to the anchor tag (looking right at you BBC with that recent rubbish you tried).

    fine for 'information' sites, i guess, we can always look elsewhere the site owner doesn't loose much. but for retail sites??? putting a limit up means I go elsewhere, to me your site tis broken.

    *this* defect will be something to do with how acrobat likes to take over the page, so noscript etc won't work, since it will be acrobat doing its thing.

    solution? don't view pdf files?

    or heavens above adobe could make some nice options, like making it very clear where a link will go, and allowing links to be turned off/replaced with the url etc.

    they need someone _seriously_ evil working at microsoft & adobe etc, someone who gets a nice bonus for every evil trick they find to redirect someone. so the tricks can be blocked.

  14. F Seiler

    @Petrea Mitchell

    No, not any kind of paradox. You don't need NoScript to disable JavaScript in Firefox. NoScript is only for easy selective disabling. Main menu -> tools ->options -> content -> unckeck "Enable JavaScript" . Similar probably in other browsers. At least IE should have it somewhere in its hideous "Internet Options" too.

  15. adnim

    NoScript

    Disable all scripting everywhere by default, add exceptions for the sites one regularly visits and trusts. No problem. A minor inconvenience at the most. I will often view page source or download and read scripts before enabling java for an unknown site . If an unknown and thus untrusted (All websites by default should be untrusted) website asks for a plugin to be installed to view the content, then go find the content elsewhere. I would rather have a slightly broken web experience than a broken OS, a compromised bank account or encrypted documents. Paranoia maybe but the last infection I had was the Saddam virus on my Amiga. Alternatively browse the net on a vm that's used for web browsing only and take a snapshot before each session.

    Changing status bar text via Java is easy. However there is an option in Firefox advanced script setting that either allows or disables the changing of status text by Java. One should make sure that this option is unticked.

    Of course your average user is not going to employ all or indeed any of these tactics, still it keeps us in work.

    As BlueGreen mentioned keep it simple, html, css and php is all it takes to build an effective, efficient website.

  16. Peyton

    Javascript bug? I'm suspicious

    Seems like most of the discussions were "effects x AND adobe" "fix x AND adobe" - could this be a flash bug? That would still make it effect all your mainstream browsers...

    @Gordon - to "unplug" my webcam I would have to rip apart my laptop's lid... not really a viable option for me...

  17. Will Godfrey Silver badge
    Black Helicopters

    Scary stuff

    I'm very worried about the prospect of the nasties taking over my webcam and mic. How the hell did they manage to get in and install them without me noticing?

    As for scripts, the NoScript ... er... plugin is my best friend.

  18. Anonymous Coward
    Dead Vulture

    Yeah ...

    I've known about this for at lest eight years.

    Anything new to report?

  19. Mr Spoon

    @Peyton

    Actionscript (Flash's scripting language) is basically Javascript (ECMA Script) so a JS flaw looks likely.

  20. David Pickering
    Coat

    erm

    im not sure i get it... using javascript to rewrite a ahref tag is now a vulnerability? i fail to see how this can take control of your webcam etc... (though i only read the first few paragraphs ha)

    mines the one made out of tin foil

  21. Anonymous Coward
    Anonymous Coward

    <no title>

    I'm another one for doing "untrusted" browsing in a VM, but that doesn't help with "clickjacking", if I understand it correctly. For protective measures, how about ... well, I guess it has to be ... a plugin that scans javascript source for dubious sections or bad constructs?

    In the long run - simplify web page design as mentioned above. The "browsing experience" is still going to be just fine. It may not require using only html, css and php, but stripping insecure components out of other protocols would be a good start.

    And Dan Goodin is the man - leave off, or I'll send the boys 'round ....

  22. Alastair

    Easy one, that

    A bit of javascript that will capture the click event on a link, and redirect to another address. So the status bar shows the user a link they'll never go to. As for the webcam stuff, well I assume that's where Flash comes in, given that you can't access cams without using something like that,

  23. Moss Icely Spaceport
    Gates Halo

    Adobe products make...

    ....Microsoft look good.

    Just saying...

  24. FatherStorm

    this is new? wow.

    really. This is new? not just

    a href='anysite.com/showthislink/seemslegit.htm ' onclick='window.open("someothersite.com","_self);return(false)'

    first link shows in bottom bar, second link actually executed. 0th year javascript here folks. not actually a world rocker. same way that lightbox changes all links after page loads..

  25. amanfromMars Silver badge
    Paris Hilton

    Systemic Problems require New Source Code not Fluffing of Old Code Programs

    "I've known about this for at lest eight years.

    Anything new to report?" ..... By Greg Fleming Posted Tuesday 16th September 2008 22:42 GMT

    Eight years you say..... would you then have the Answer/Solution to Share with Us All, Greg.

    And I was thinking exactly the mirror opposite to RSnake.[Hansen]

    "Hansen struck a more conciliatory tone in discussing the cancellation.

    "I must stress, this is not an evil 'the man is trying to keep us hackers down' situation"

    Man speak with forked tongue, Kemo Sabe. He hides the Truth in what he says is not there.

    And Red Team Virtual Penetration BetaTest Drivers are not Hackers, they are Creative Crack Coders Plugging Vulnerabilities that Lose Market Share to Beta Equipped ProgramMIng.

    If you have a Major Internet Control Problem, they're the Sort of Dudes you Call Direct with a Line of Open Credit Reflective of Control Needs.

  26. David Rollinson
    Thumb Up

    re. Adobe make Microsoft look good.

    I agree. I gave up on Acrobat Reader in favour of Foxit Reader, fed up of having my browser locked up or crashed.

  27. Adrian Waterworth
    Gates Horns

    New? Not New?

    Following the links and doing a little digging, I get the feeling that this has got to be something more than straightforward Javascript link hijacking with onclick/onmouse type events.

    Of course, it could all have been blown out of proportion by the guys themselves in order to make their work look more prestigious than it is, but until more details are disclosed, there's nothing to be lost by being a little extra watchful is there?

    Well, except that most of the folks who read The Reg are probably more than paranoid enough - it's all the clueless email attachment readers and compulsive link-clickers out there that cause most of the problems.

    P.S. Bets on any vulnerabilities being present in the shiny new, "we've dressed up WebKit to make it more secure and better for modern web applications" Chrome (JAFWB!) too?

  28. The BigYin

    @peyton

    Sticky tape and a piece of paper. Cover the lens.

    Job done.

    As for the web in general - yup, disable all scripts and all plugins by default.

  29. Anonymous Coward
    Thumb Up

    What's the buzz?

    The problem now is that the danger-bubs have been activated and we all want to know the fuss is about! This looks to me like one of those "Church/Org makes a fuss over nothing and more people find out than would have, if they had simply let it go.".

    Oh and now I've been forced to come over all middle-England! Did these people even go to school?

    "that this is a tough problem with no easy solve in sight"

  30. Dave

    8 years

    have I not trusted the text in the status bar to tell me where I am going next

  31. Anonymous Coward
    Anonymous Coward

    interwebs without scripts and plug ins

    The interwebs without scripts and plug ins is a bit like a supermarket with a plain concrete front, no windows, concrete shelves and all the products contained in brown containers with black stenciled text to inform you what is inside.

    Checkouts similarly grey staffed by people in grey and only excepting cash.

  32. Anonymous Coward
    Anonymous Coward

    @Peyton - laptops with webcams

    "@Gordon - to "unplug" my webcam I would have to rip apart my laptop's lid... not really a viable option for me..." "

    Or instead of martyring yourself you could stick a piece of Post-It or blob of Blu-tak over the lens. And I presume your laptop has a nice light to tell you the camera's on, like the Eee PC...

  33. Alan Fisher

    Hunt 'em down and put 'em in jail

    I keep saying that the laws concerning hacking and cyber crime need to be tightened up and the people who carry out these crimes found and dealt with, instead of trying to ruin the lives of your average person without punishment or consequences seemingly

  34. Anonymous Coward
    Anonymous Coward

    Have we gone back to 1990

    and no one told me.

    This has been possible for ages and is a key part of the web, the link shown to you is the link the author put in the page, which can be anything.

    What next mod_rewrites to make it look like they are legit with or without javascript, or flash.

    This is just a part of the web, sure things like privoxy can detect a header request to redirect, but a lot of sites use them :)

    It is not a flaw it is a feature get use to it - if you go to a dubious site then well you are already taken.

  35. TimM

    Scripting

    Face it. Scripted sites are part of the web these days. Unless you prefer surfing back in 1995.

    The real reason a lot of people have a beef with scripted sites is more likely because so many are badly written.

    It's not an evil to use script as a developer, if it's used constructively and not over-used. Developers also have a requirement to at least make their sites vaguely usable for luddites who disable script.

    Anyway, surely recent anti-phishing technology in browsers would spot simple stuff like this?

  36. Peyton
    Heart

    Wow - thanks for the advice guys!

    Love the idea of covering my nice, sleek laptop with a bunch of tape and post-it notes - I can keep my passwords there AND it will really give it a nice garbage bin look. (I'm sure that tape won't leave any dirt-attracting glue behind when I actually *use* the webcam) Now how about the mic inputs situated right next to the web cam? Stuff some cotton in there I suppose?

  37. Eddie Johnson
    Unhappy

    @TimM

    > Face it. Scripted sites are part of the web these days. Unless you prefer surfing back in 1995.

    Yes, I do. I really, really do. It. Just. Worked. Unlike most crap today designed by an art major with his crappy <Whatever the FrontPage of today is> software.

    Anyone who has flash or "Javascript is required to use this site, click HERE to upgrade your browser" on their home page will never know how many people just turned around and left. Luckily for them they'll never hear what they were called either.

  38. adnim
    Joke

    @Peyton:Wow-thanks for the advice guys!

    Wear a mask and learn sign language.

    ;-)

  39. Anonymous Coward
    Anonymous Coward

    @Peyton

    Well, If your OS is windoze just disable your webcam in the hardware properties tab when you aren't using it.

This topic is closed for new posts.

Other stories you might like