1 {{ upvoteCount | shortNum }}
1 {{ upvoteCount | shortNum }}

Clickjacking from innocent hacked websites

by awesometbn
0 replies
Just a quick heads up to anyone who is not using Lynx as their web browser. There is a cross site scripting (XSS) vulnerability in most browsers called clickjacking. Lynx is not vulnerable because it is a text only browser, usually run from the command line on a Unix or Linux box. See the following articles for a detailed description and possible workarounds to protect yourself from this malicious attack. Or just google the term clickjacking.

http://hackademix.net/category/security/clickjacking/

Clickjacking: Researchers raise alert for scary new cross-browser exploit | Zero Day | ZDNet.com

What is clickjacking? Why should I care? Here is one answer from Robert Hansen and Jeremiah Grossman.

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. [...]

Say you have a home wireless router that you had authenticated prior to going to a [malicious] web site. [The web site] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.
Below is an excerpt of another answer from WebMonkey,

A Look at the Clickjacking Web Attack and Why You Should Worry - Webmonkey

Clickjacking is the worst sort of security risk -- it's transparent to the unwitting user, simple to implement and difficult to stop. The basic idea is that an attacker loads the content of an external site into the site you're visiting, sets the external content to be invisible and then overlays the page you're looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.
Basically this is pretty bad and it's a big deal. You can protect yourself by using Mozilla Firefox as your browser with NoScript. There might be workarounds for other browsers that involve turning off Javascript, disabling ActiveX, and disabling IFRAME.

I just wanted to raise the awareness level about this latest browser vulnerability.
#clickjacking #hacked #innocent #websites

Trending Topics