Security & Privacy + Software & Apps

“Clickjacking,” or hijacking your clicks—what’s this new threat all about? Computerworld’s Gregg Keizer (via Macworld) discusses this with “Robert Hansen, founder and chief executive of SecTheory LLC, and one of the two researchers who discussed the bug in a semi-closed session at OWASP AppSec 2008 on Wednesday.” Hansen explains that clickjacking is simply a way to add invisible buttons to web pages, that overlay real buttons, and when you click them, something unexpected happens.

Hansen gave an example: “Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. [The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”

Since clickjacking depends on JavaScript, Hansen says the only way to protect against it is to not use JavaScript. He recommends using Firefox with the NoScript add-on; if you use Safari, you can also disable JavaScript from the program’s Security preferences.

For now, the two researchers plan to release proof-of-concept code, but no attacks have been seen in the wild. We’ll be keeping our eyes open for this. If such attacks occur, it is possible that they be cross-platform, unless the underlying JavaScript is designed to only work on a specific platform.

See also Intego’s other articles about clickjacking.