Clickjacking details released
aaron posted in vulns on October 8th, 2008
It looks like some of the details on clickjacking have been finally released. There are tons of different variants of it that have different impact, and varying levels of remediation. Here’s a quote from RSnake on this:
There’s a proof of concept for camera hijacking along with a video of it. There’s also PoC of hijacking your microphone from RSnake. There’s supposed to be some clickjacking code released here, but I wasn’t able to download it when I tried last. (edited: code link should work now)
Here’s a couple of the bad ones:
Issue #2a STATUS: To be fixed in Flash 10 release. All prior versions of Flash on Firefox on MacOS are particularly vulnerable to camera and video monitoring due to security issues allowing the object to be turned opaque or covered up. This fix relies on all users upgrading, and since Flash users are notoriously slow at upgrading, this exploit is expected to persist. Turning off microphone access in the bios and unplugging/removing controls to the camera are an alternative. Here is the information directly from Adobe.
Issue #2b STATUS: Resolved. Flash security settings manager is also particularly vulnerable, allowing the attacker to turn off the security of Flash completely. This includes camera/microphone access as well as cross domain access.
RSnake is going to be releasing a full paper in the next day or two, and hopefully more patches will be rolling in. In the meantime maybe it’s time for an internet vacation, .