A researcher has hacked the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works.
Details of the dangerous clickjacking attack have been closely held by the two researchers who discovered it -- Jeremiah Grossman and Robert RSnake Hansen -- at the request of Adobe, which wanted more time to patch its software from the attack, although the attack has to do with the way browsers and the Web work. (See Clickjacking Defense Will Require Browser Overhaul and Disclosure of Major New Web 'Clickjacking' Threat Gets Deferred.)
But a researcher with a blog called GuyA.Netspilled the beans today with a proof-of-concept that controls a users Webcam and microphone once the user clicks on hidden malware on the Web page.
Adobe late today released a temporary workaround to protect Flash Player from the clickjacking attack, and also promised to address clickjacking in an update to Flash Player later this month. Adobe was not available for comment.
The attack could be used for corporate espionage or other even creepier virtual surveillance -- think online peeping Toms, industry experts say.
Security experts say the attack hinted at by Grossman and Hansen for several weeks wasnt difficult to figure out in the end. We knew what clickjacking was all about as soon as the term got the media's attention, says Petko PDP Petkov of GNUCitizen, who earlier this week had blogged on how clickjacking is a sort of graphical user interface attack. From what I can hear, other security experts knew about the details as well.
Even so, Grossman and Hansen have been careful not to spill the beans. Grossman last week said he would go public with the details on the attack at the Hack in the Box conference in Kuala Lumpur, Malaysia, later this month -- whether Adobe was ready or not.
"His [GuyA.Nets] demo definitely fits the definition of clickjacking," Hansen says. "Although I wish he had used responsible disclosure, it was only a matter of time before people figured out some of the more dangerous aspects of clickjacking."
Robert Graham, CEO of Errata Security , says the hack released today demonstrates two independent problems. Clickjacking is used to defeat anything that relies upon an OK dialog box, because you can encourage the user to click on it. There are lots of other things that depend upon this same sort of security, Graham says. Adobe Flash allows you to grab somebody's camera/mike -- we'll probably find other ways of hijacking this through some means other than clickjacking.
Petkov says clickjacking is basically a simple problem thats hard to fix. It is certainly not the end of the Web as we know it. I think that we've got tons of other problems with much higher priority to deal with before we even start thinking about clickjacking, he says. I do not expect anyone to be exploited any time soon, but the sooner Adobe fixes the problem, the better.
But an Adobe patch would only protect its own apps. A real fix for clickjacking would require re-architecting the browser, according to the researchers, and thats not something that will happen overnight.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.