Little information has been provided on ClickJacking so I decided to go digging a little bit and talk to the source to find out some additional information. Here's my interview with Jeremiah Grossman on Friday October 3rd.
How did you find this flaw exactly? Was it something you were digging for or was it by accident?
ClickJacking as an attack technique Robert Hansen and I discovered around a year and a half ago. Recently we're told we’ve been told that its been known by the browser vendors since 2002. In any case the attack has been essentially underestimated and largely undefended by the web security community in general. Post
Black Hat 2008 some research we were conducting was furthered by using ClickJacking, as a result we felt warranted more attention. What we didn't know didn't realize at first was that one of our proof-of-concept examples used a zero-day in an Adobe product. When we found out, because Adobe informed us, that's when we decided to postpone our OWASP conference talk.
Can ClickJacking reach out of the browser?
Clickjacking can be used to exploit just about anything between the browser walls, or perhaps more specifically, anything that is part of the DOM.
Are applications other than browsers affected, if so what?
We haven't researched that aspect of ClickJacking.
Is it likely this has been used by attackers to actively exploit people?
We believe ClickJacking may have been used by advertising click fraudsters, but we don’t know for sure. Beyond that ClickJacking attacks would be incredibly hard for the average user to detect, and even if they did, it would be tough for them to describe.
Knowing that after you discuss this bad guys are going to use it to do you feel it is better to still talk about it?
Bad guys tend to use the attack techniques that are the easiest to monetize. While ClickJacking is somewhat trivial, they’re already vested in using attack techniques like SQL Injection until that stops working. From my experience in Web security, the bad guys start taking advantage of new techniques 12-18 months after initial disclosure if their able to monetize it will enough.
When we discuss new attacks, it evens the playing field for everyone. Those who want to defend themselves quickly now have the information available to do so.
Have you received negativity from anyone for wanting to disclose this?
There has been some yes, but that’s to be expected. It’s impossible to please everyone all the time when it comes to matters of vulnerability disclosure. Everyone has they’re preference. What we’re doing is trying to keep the end user as our #1 priority when discussing these matters publicly.
Does this flaw still work if you're using a keyboard with no mouse?
Yes. If you can “click”, you can be “ClickJacked”.
Does this flaw affect other technologies such as Silverlight, Javafx, applets, etc? Is anything immune?
We are unable to say for sure, more research would need to be perform by Robert and myself, or others in the industry.
Do iframes offer any sort of protection?
No, they are one source of the problem.
Does this break protections for flaws such as Cross-Site Request Forgery?
Yes. Clickjacking has the potential of breaking CSRF token-based protections.
Boxers or briefs?
I prefer No Disclosure. ;)
The fact that CSRF token based protection may be busted and that there is no clear fix for browser makers is sure to stir things up in the industry. Full details will be published at the HITB conference later this month. Certainly some interesting research.