ClickJacking... Scary stuff...

by Michael Tracey 7 replies
Heads up for those who haven't heard about it yet read Clickjacking: Researchers raise alert for scary new cross-browser exploit | Zero Day | ZDNet.com

Firefox users should also read Firefox + NoScript vs Clickjacking | Zero Day | ZDNet.com

IMHO Now would be a good time to install Noscript

Michael
#main internet marketing discussion forum #clickjacking #scary #stuff
Avatar of Unregistered
  • Profile picture of the author TheNightOwl
    Thanks for the heads up, Michael!

    So I went over and read the article.

    Then read a ton of the comments.

    Got confused.

    Installed NoScript anyway.

    NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! - what is it? - InformAction

    Good video here, too:



    -----------------------------

    There are (obviously!) some uber tech geeks on sites like ZDNet.

    Sure, like any other place in InternetLand, there are people who don't know what they're talking about, but several posters in the "Comments" areas (a couple of threads are sort of interlinked) make good points.

    For example, a couple of people lambaste the main article for being vague, asking "What, exactly, is this all about, then? And why do I need to worry? What's the big deal?"

    And from my reading, I tend to agree. I can see that there's obviously an exploit, but the article didn't really make it clear to me just how malicious it could be.

    I kind of feel the same as the poster of this thread:

    Clickjacking: Researchers raise alert for scary new cross-browser exploit | TalkBack on ZDNet

    Any techhead Warriors wanna spell it out for a bonehead?

    -----------------------------

    Some interesting comments in the threads:

    Re: Flash being the problem...

    Adobe Flash ads launching clipboard hijack attack | TalkBack on ZDNet

    The video, above, shows you how to configure NoScript to deny Flash.

    The thing I gleaned from a couple of the comments I read was that this browser hijack has happened through Flash banner ads on what might be considered trusted sites, such as Digg and CNN. So I'm wondering about the whitelisting option and whether it's effective.

    Here's an example of several comments reitterating this point:
    Clickjacking: Researchers raise alert for scary new cross-browser exploit | TalkBack on ZDNet

    Obviously it's going to MORE effective in the sense that if you show up at some random page that you've never been to before, you don't know what you're going to find there and this will reduce the risk. For example, it could potentially be a domain that's been hijacked or simply an expired domain that previously had lots of traffic from inbound links and which has been purchased and loaded with Flash banners for porn sites or whatever.

    In this case, if you deny Flash from running you're going to be safer.

    And, I guess, any Flash content that you REALLY want to watch, you have to either decide if you want to Whitelist that site for good or choose the "Temporarily allow [site]" from the NoScript pop-up bar (as seen in the video, above).


    Re: Admin priviledges

    Firefox NoScript vs Clickjacking | TalkBack on ZDNet

    The author of this post has made some very knowledgabe comments on this issue. I don't understand this one, though. I tried to do some digging, but didn't turn up much.

    If someone here understands this, how about posting to help us out?

    Cheers!
    Signature
    {{ DiscussionBoard.errors[134075].message }}
  • Profile picture of the author TheNightOwl
    Further quick question for existing NoScript users: Is there something I'm missing in the Options? Kern just sent out a vid. I clicked through. It obviously wouldn't show coz the default in NoScript is to not allow Flash. No problem. I click the icon. I select "Temporarily allow this site". No change. Can't for the life of me get that vid to run. Watched it in IE. Any ideas?
    Signature
    {{ DiscussionBoard.errors[134178].message }}
    • Profile picture of the author ThomM
      Originally Posted by TheNightOwl View Post

      Further quick question for existing NoScript users: Is there something I'm missing in the Options? Kern just sent out a vid. I clicked through. It obviously wouldn't show coz the default in NoScript is to not allow Flash. No problem. I click the icon. I select "Temporarily allow this site". No change. Can't for the life of me get that vid to run. Watched it in IE. Any ideas?
      Next time try temporarily allow this page.
      If the video is actually hosted on another site selecting allow this site won't work.
      NoScript will also show you a list of what it is blocking and you can unblock anything on the list you want to allow.
      I've been using NoScript for a long time and though it can be a pain at times I think it makes FF a lot safer and will keep on using it.
      Signature

      Life: Nature's way of keeping meat fresh
      Getting old ain't for sissy's
      As you are I was, as I am you will be
      You can't fix stupid, but you can always out smart it.

      {{ DiscussionBoard.errors[134526].message }}
  • Profile picture of the author Josh Anderson
    Surfing the web without flash and javascript?

    Might as well unplug the computer and read a book.

    At any rate I do not see the major issue...

    What does it reach beyond them being able to make you click links if you visit a bad guy's page?

    Can these links then "get you?"
    Signature
    {{ DiscussionBoard.errors[134194].message }}
    • Profile picture of the author Aaron Moser
      NoScript Rocks! I wouldn't surf the internet without it.
      Signature



      {{ DiscussionBoard.errors[134196].message }}
  • Profile picture of the author ahuddy
    I've been using ABP and Flash block for firefox. Surfing the internet feels so much cleaner and faster using these tools.
    {{ DiscussionBoard.errors[134471].message }}
  • Profile picture of the author najmiyusoff
    ABP and Flash block eh? Gotta try it. Like Josh, I don't really understand the threat, but I'm not taking any chances anyway. Thanks for the heads up.
    Signature

    {{ DiscussionBoard.errors[134536].message }}
Avatar of Unregistered

Trending Topics