« CGISecurity Interview: Jeremiah Grossman provides more details on clickjacking attack | Main | Recovering Censored Text Using Photoshop and JavaScript »

Details of Clickjacking Attack Revealed With Online Spying Demo

"A researcher has “hacked” the mysterious clickjacking attack and today posted a demonstration in his blog on how the Web-borne attack works.

Details of the dangerous clickjacking attack have been closely held by the two researchers who discovered it -- Jeremiah Grossman and Robert “RSnake” Hansen -- at the request of Adobe, which wanted more time to patch its software from the attack, although the attack has to do with the way browsers and the Web work. (See Clickjacking Defense Will Require Browser Overhaul and Disclosure of Major New Web 'Clickjacking' Threat Gets Deferred.)

But a researcher with a blog called “GuyA.Net”spilled the beans today with a proof-of-concept that controls a user’s Webcam and microphone once the user clicks on hidden malware on the Web page.

Adobe is expected to release a patch today to protect its applications from the clickjacking attack. Adobe was not available for comment at this posting.

GuyA.Net’s PoC preys on Adobe’s Flash Player Setting Manager. “I’ve written a quick and dirty Javascript game that exploit[s] just that, and demonstrate[s] how an attacker can get... hold of the user’s camera and microphone. This can be used, for example, with platforms like ustream, justin and alike, or to stream to a private server to create a malicious surveillance platform,” he blogged. The exploit essentially turns the browser into a “surveillance zombie,” he added.

The attack could be used for corporate espionage or other even creepier virtual surveillance -- think online peeping Toms, industry experts say."

Read more: http://www.darkreading.com/document.asp?doc_id=165431&WT.svl=news1_1


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!