Go Back   WarriorForum - Internet Marketing Forums > The Warrior Forum > Main Internet Marketing Discussion Forum
Clickjacking from innocent hacked websites Clickjacking from innocent hacked websites
Register Blogs FAQ Social Groups CalendarHelp Desk

Reply
 
LinkBack Thread Tools
Old 10-11-2008, 06:48 AM   #1
HyperActive Warrior
 
Join Date: May 2008
Location: USA
Posts: 249
Blog Entries: 22
Thanks: 9
Thanked 29 Times in 27 Posts
Default Clickjacking from innocent hacked websites
Just a quick heads up to anyone who is not using Lynx as their web browser. There is a cross site scripting (XSS) vulnerability in most browsers called clickjacking. Lynx is not vulnerable because it is a text only browser, usually run from the command line on a Unix or Linux box. See the following articles for a detailed description and possible workarounds to protect yourself from this malicious attack. Or just google the term clickjacking.

http://hackademix.net/category/security/clickjacking/

Clickjacking: Researchers raise alert for scary new cross-browser exploit | Zero Day | ZDNet.com

What is clickjacking? Why should I care? Here is one answer from Robert Hansen and Jeremiah Grossman.

Quote:
Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […]

Say you have a home wireless router that you had authenticated prior to going to a [malicious] web site. [The web site] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.
Below is an excerpt of another answer from WebMonkey,

A Look at the Clickjacking Web Attack and Why You Should Worry - Webmonkey

Quote:
Clickjacking is the worst sort of security risk — it’s transparent to the unwitting user, simple to implement and difficult to stop. The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.
Basically this is pretty bad and it's a big deal. You can protect yourself by using Mozilla Firefox as your browser with NoScript. There might be workarounds for other browsers that involve turning off Javascript, disabling ActiveX, and disabling IFRAME.

I just wanted to raise the awareness level about this latest browser vulnerability.
awesometbn is offline   Reply With Quote
Reply

  WarriorForum - Internet Marketing Forums > The Warrior Forum > Main Internet Marketing Discussion Forum

Tags
clickjacking, hacked, innocent, websites

« Previous Thread | Top | Next Thread »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


All times are GMT -6. The time now is 06:06 PM.