Clickjacking and why it is bad for you

Apparently it’s all the rage nowadays – find a bug (preferably one with pretty far-reaching implications), brag about it and then, well, then sit on it, either by choice (as Dan Kaminsky did and the guys we’ll talk about a bit later are doing now) or by being pressured into silence (as the metro card hackers were a couple of weeks ago). 

The pattern is undeniably here and it’s worrying. The OWASP NYC AppSec 2008 Conference was going to host a presentation by Robert Hansen and Jeremy Grossman on unspecified and non-browser-specific vulnerabilities that may or may have not involved scripting, iframes, CSS and other DHTML goodies. It didn’t, as Adobe and other affected vendors used their combined pull to yank the presentation off the agenda. A “semi-restricted” presentation was held instead, warning about the dangers of “clickjacking ” .

We (the public) are told (by the researchers in question) that fixes are forthcoming, from multiple vendors. We are not given a timeline (Adobe, for instance, only has this about the incident ) and we are not told by the researchers what mitigating actions to take – except that turning off Javascript may make the hole harder to exploit. So clickjacking is a class of all scary, all new exploits that we’re not even allowed to find out about, they’re so dangerous?

This is all stuff that “we” will not put up with of course. In fact, the more security savvy among us have already begun pulling at the corner of the veil. One of these fine folk is hacker extraordinaire Michael Zalewsky, who posted this on a public mailing list to illuminate the masses (i.e. the rest of “we”).

It appears at this time that the bug is a basic one and by no means zero-day – the current web standards allow for the existence and functioning of elements (iframes in this case) which overlap with other, similar elements, so that for instance a malicious web page could make you think you’re whacking moles in a flash game while your browser is actually clicking buttons from your e-banking site (if you’re already logged into it) – or maybe buying something on eBay.

This kind of cross-site exploitation can be mitigated or even prevented (depending on who you believe) by turning off scripting in your browser and thus also doing away with most of the Web content available these days.

One of the proposed fixes is to disallow transparent iframes, but it’s not clear if this will actually fix anything. Another yet is to allow sites to set a “do not mix my stuff up with anyone else’s” parameter for the browsers to follow, so that cross-domain framing may be disallowed but that would imply changes in all the web pages the world over and would push the burden of security to the implementors.

Mr Zalewsky also proposes a kind of clipping algorithm for rendering web pages, where only the top-most of a number of overlapping nested iframes would be given UI access, making it impossible for such exploits to work. It’s a fine solution, and one that only requires the co-operation of a handful of vendors to implement.

What’s not so fine is the inclination to push security information under the rug, so that people can’t make informed decisions about their own security, while at the same time trying to garner media attention by bandying about vague, obfuscatory terms like “clickjacking”.