Firefox & Chrome Vulnerable to Clickjacking Attacks
A proof-of-concept code exploiting a clickjacking flaw has been discovered in two widely used Internet browsers Firefox and Chrome. Aditya Sood, Security Researcher at SecNiche, discovered the flaw on January 23, 2009.
As per security experts, clickjacking involves channeling an innocent user onto a malevolent website. As a result, the visitor's browser could come under the control of a remote hacker who may download malware or steal information. Thus, owing to clickjacking, a user visiting an Internet site may not get the results that he expects, said security experts.
Sood further said that attackers could dupe users into performing actions that they never meant to perform. Moreover, there is no way to trace these actions since the user actually entered his authentication details, though unknowingly, on the unintended webpage, as reported by CnetNews on January 29, 2009.
Meanwhile, Sood discloses that Google has accepted the security flaw and has engaged experts to develop a patch to fix Chrome versions 18.104.22.168 and previous which were running on Windows XP SP2 computers. In addition, Sood said even as Google is engaged in building a patch, the company's Australian branch is warning that the clickjacking flaw could affect all Internet browsers, not merely Chrome.
Google also revealed that the clickjacking problem is connected with the method in which the Web and its pages are created to function, and no simple solution exists for any specific browser. The company further said that it is coordinating with other stakeholders to find a standardized approach that would mitigate the problem in the long run.
However, Nishad Herath, an Independent Security Investigator and CEO of Novologica, an Australian security consultant, said that on executing Sood's proof-of-concept exploit code, he discovered that the flaw did not affect the latest Opera 9.63 version and IE8. Nevertheless, the flaw affected Firefox 3.0.5 similar to Chrome, as reported by CnetNews on January 29, 2009.
Ironically, the creation of the proof-of-concept code has taken place after Microsoft declared an even safer IE8 that claims to defend users against clickjacking.
Meanwhile, Google said, there has been no attack as yet exploiting the particular flaw.
» SPAMfighter News - 17-02-2009