informa
/
Risk
News

Details of Clickjacking Attack Revealed With Online Spying Demo

Adobe releases Flash Player workaround to defend against clickjacking attack

A researcher has “hacked” the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works.

Details of the dangerous clickjacking attack have been closely held by the two researchers who discovered it -- Jeremiah Grossman and Robert “RSnake” Hansen -- at the request of Adobe, which wanted more time to patch its software from the attack, although the attack has to do with the way browsers and the Web work. (See Clickjacking Defense Will Require Browser Overhaul and Disclosure of Major New Web 'Clickjacking' Threat Gets Deferred.)

But a researcher with a blog called “GuyA.Net”spilled the beans today with a proof-of-concept that controls a user’s Webcam and microphone once the user clicks on hidden malware on the Web page.

Adobe late today released a temporary workaround to protect Flash Player from the clickjacking attack, and also promised to address clickjacking in an update to Flash Player later this month. Adobe was not available for comment.

GuyA.Net’s PoC preys on Adobe’s Flash Player Setting Manager. “I’ve written a quick and dirty Javascript game that exploit[s] just that, and demonstrate[s] how an attacker can get... hold of the user’s camera and microphone. This can be used, for example, with platforms like ustream, justin and alike, or to stream to a private server to create a malicious surveillance platform,” he blogged. The exploit essentially turns the browser into a “surveillance zombie,” he added.

The attack could be used for corporate espionage or other even creepier virtual surveillance -- think online peeping Toms, industry experts say.

Security experts say the attack hinted at by Grossman and Hansen for several weeks wasn’t difficult to figure out in the end. “We knew what clickjacking was all about as soon as the term got the media's attention,” says Petko “PDP” Petkov of GNUCitizen, who earlier this week had blogged on how clickjacking is a sort of graphical user interface attack. “From what I can hear, other security experts knew about the details as well.”

Even so, Grossman and Hansen have been careful not to spill the beans. Grossman last week said he would go public with the details on the attack at the Hack in the Box conference in Kuala Lumpur, Malaysia, later this month -- whether Adobe was ready or not.

"His [GuyA.Net’s] demo definitely fits the definition of clickjacking," Hansen says. "Although I wish he had used responsible disclosure, it was only a matter of time before people figured out some of the more dangerous aspects of clickjacking."

Clickjacking isn’t new, but the threat discovered by the pair is, spanning multiple browser families and not even requiring that a user click on anything. Nor does JavaScript have to be involved in the attack, they say. An attacker can slide any malware underneath the mouse such that the user has no idea he or she is being “owned.”

Robert Graham, CEO of Errata Security , says the hack released today demonstrates two independent problems. “Clickjacking is used to defeat anything that relies upon an ‘OK’ dialog box, because you can encourage the user to click on it. There are lots of other things that depend upon this same sort of security,” Graham says. “Adobe Flash allows you to grab somebody's camera/mike -- we'll probably find other ways of hijacking this through some means other than clickjacking.”

Petkov says clickjacking is basically a simple problem that’s hard to fix. “It is certainly not the end of the Web as we know it. I think that we've got tons of other problems with much higher priority to deal with before we even start thinking about clickjacking,” he says. “I do not expect anyone to be exploited any time soon, but the sooner Adobe fixes the problem, the better.”

But an Adobe patch would only protect its own apps. A real fix for clickjacking would require re-architecting the browser, according to the researchers, and that’s not something that will happen overnight.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5