November 24th, 2014

Clickjacking details released

It looks like some of the details on clickjacking have been finally released. There are tons of different variants of it that have different impact, and varying levels of remediation. Here’s a quote from RSnake on this:

First of all let me start by saying there are multiple variants of clickjacking. Some of it requires cross domain access, some doesn’t. Some overlays entire pages over a page, some uses iframes to get you to click on one spot. Some requires JavaScript, some doesn’t. Some variants use CSRF to pre-load data in forms, some don’t.

There’s a proof of concept for camera hijacking along with a video of it. There’s also PoC of hijacking your microphone from RSnake. There’s supposed to be some clickjacking code released here, but I wasn’t able to download it when I tried last. (edited: code link should work now)

Here’s a couple of the bad ones:

Issue #2a STATUS: To be fixed in Flash 10 release. All prior versions of Flash on Firefox on MacOS are particularly vulnerable to camera and video monitoring due to security issues allowing the object to be turned opaque or covered up. This fix relies on all users upgrading, and since Flash users are notoriously slow at upgrading, this exploit is expected to persist. Turning off microphone access in the bios and unplugging/removing controls to the camera are an alternative. Here is the information directly from Adobe.


Issue #2b STATUS: Resolved. Flash security settings manager is also particularly vulnerable, allowing the attacker to turn off the security of Flash completely. This includes camera/microphone access as well as cross domain access.

RSnake is going to be releasing a full paper in the next day or two, and hopefully more patches will be rolling in. In the meantime maybe it’s time for an internet vacation, :) .

Update: Here’s a more informative video from Jeremiah Grossman on the webcam hijacking
Update 2: The link to the clickjacking code was fixed on the site.

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS