Chrome, Firefox get clickjacked

Liam Tung, ZDNet.com.au

29 January 2009 04:20 PM

Security researchers have discovered a flaw affecting Google's Chrome browser which exposes it to clickjacking — where an attacker hijacks a browser's functions by substituting a legitimate link with one of the attacker's choice.

Google has acknowledged the flaw and is working towards a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya K Sood.

Sood disclosed the flaw on 27 January and has since posted a proof of concept on the Bugtraq vulnerability disclosure forum.

"Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure.

While Google is working on a fix, a spokesperson for the Australian arm of the company pointed out that clickjacking affected all browsers, not just Chrome.

"The [clickjacking] issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardised long-term mitigation approach," they said.

However, independent security researcher, CEO of Australian security consultancy Novologica, Nishad Herath, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.

Google's security researchers had not found any attacks in the wild which exploited the specific vulnerability, said Google's spokesperson.

Clickjacking is a relatively new browser attack which security researchers Robert Hansen and Jeremiah Grossman gave a talk on late last year at the Open Web Application Security Project (OWASP) security conference in New York. The attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's web browser to send an HTTP request to a website of their choosing.

"Clickjacking means that any interaction you have with a website you're on, for example like clicking on a link, may not do what you expect it to do," explained Herath.

"You may click on a link that looks like it's pointing to a picture on Flickr, but in reality, it might first direct you to a drive-by-download server that serves malware. These types of attacks can be used to make you interact with web services you're already logged onto in ways that you would never want to, without you even knowing that it has happened."

http://www.zdnet.com.au/news/software/soa/Chrome-Firefox-get-clickjacked/0,130061733,339294633,00.htm

However, independent security researcher, CEO of Australian security consultancy Novologica, Nishad Herath, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.

Opera 9.63 is safe 🙂

15 Replies to “Chrome, Firefox get clickjacked”

  1. thanks Chas,I will give this link to my friend John who sent me a link also from Spain :)what a mess!!!I guess using Opera did not make it clear :)thanks for sharing!

  2. Nilesh writes:

    “However, independent security researcher, CEO of Australian security consultancy Novologica, Nishad Herath, told ZDNet.com.au that after running Sood’s proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.”The Aditya Sood’s theory to clickjacking is flawed. Even ‘Rsnake’ replied me on the issue and told–His example is probably the worst example of it since it’s just a link and not an iframe. As I tried to explain in my previous email, if you know the URL to the function you want someone to click on just use CSRF. Clickjacking is for when you don’t know the information that needs to be passed. If you just want someone to go somewhere without their knowing, you can do that without user interaction, so his example is really not a good one. But people use exploits in dumb ways, so it doesn’t surprise me that someone would try to do this, even if it really doesn’t make sense.Even many places I have seen people contradicting Aditya Sood’s theory.So had develped another POC using iframe tags and that was successfully executed in Opera 9.63 too. That POC was agreed by Rsnake too. I contacted Opera with the issue but no response from their side..

  3. Nilesh the current version of Opera is 9.64Opera decides not to publicly disclose any security vulnerabilities to try to prevent the expliot from going into the wild.

  4. Nilesh writes:

    The above post is written by me only,I forgot to post my name..Dear Chas4,>”Nilesh the current version of Opera is 9.64″I tested the same POC for 9.64 which I had used for 9.63. It’s again (9.64) vulnerable as per my POC! Had Opera been responded to my POC about 9.63 ,I would have reported them about 9.64 also. That’s why I gave up idea of further reporting.>”Opera decides not to publicly disclose any security vulnerabilities to >try to prevent the expliot from going into the wild.”At least they sould have responded me personally about their view on the issue. Any sort of response would have made me enthusiastic.Thanks..

  5. Anonymous writes:

    Dear Chas4,>”Nilesh the current version of Opera is 9.64″I tested the same POC for 9.64 which I had used for 9.63. It’s again (9.64) vulnerable as per my POC! Had Opera been responded to my POC about 9.63 ,I would have reported them about 9.64 also. That’s why I gave up idea of further reporting.>”Opera decides not to publicly disclose any security vulnerabilities to >try to prevent the expliot from going into the wild.”At least they sould have responded me personally about their view on the issue. Any sort of response would have made me enthusiastic.Thanks..

  6. Nilesh writes:

    Dear Chas4, I had already filed the POC for 9.63 to Opera Bug Centre.This is the reference no: ‘DSK-246973@bugs.opera.com’.Even I followed up with them with RSnake’s and Jeremiah’s view on my POC.Both said that my POC resembles to Clickjacking.No response from Opera so far.Even I applied same POC on Mozilla 3.1 beta2 and informed Mozilla. They at least responded about my POC. After a series of mails they told that they will work with RSnake and Jeremiah to refine their definition about Clickjacking.Thanks..

  7. Nileshhttp://my.opera.com/haavard/blog/2009/03/25/e-mail-confirmation-when-reporting-bugsif it has a bug ID, it was successfully entered into the bug tracking system.

Leave a Reply