Adobe warns Clickjackers could take over your web cam
Put some clothes on, at least
YOU'VE HEARD of "hijacking" and more certainly the word " click", but you may not have heard of the most ridiculous word blend of the day, " clickjacking". But you should be very afraid.
The big red alarm has been sounded, as clickjacking - a malicious attack on web servers - is spreading, and spreading fast insecurity fear-mongers are warning.
The clickjacking technique is yet another simple but ingenious way of revealing all to a prying hacker.
This attack works by directing a user to a pre-determined webpage chosen by the hacker, when the user clicks on a seemingly innocent link - the hacker is able to gain control of all number of things this way including the webcam and the microphone.
Clickjacking, (we'll keep repeating it so it sounds real) has been identified as a vulnerability on many browsers, namely Adobe Flash Player, Firefox, Internet Explorer, Opera, Safari and Google Chrome.
Giorgio Maone, author of Firefox extension, NoScript told Newsfactor, "Clickjacking is a very simple attack to build, and now that the details are out, any script kid can try it successfully."
Maone further laments that unfortunately there is no way of tracking just how many of these attacks are out there, as there are infinite ways to implement such an attack.
Clickjacking was supposed to have been revealed last month at the Open Web Application Security Project NYC AppSec conference by Robert Hansen of SecTheory and Jeremiah Gorssman of WhiteHat Security who discovered but concealed this threat giving Adobe and other browsers a chance to come up with a fix.
However, a fix they did not find. Adobe has instead released security information for its Flash Player which blocks access to the webcam and camera, but due to the many variants of this attack it is seemingly impossible to deter altogether.
If someone does manage to come up with a general browser fix, it won't be any time soon predicts Maone. µ
L'Inq
Yahoo?
Comments
...
I admit I don't know exactly how this clickjacking works, but if I understand it correctly, it has to do with a server being compromised. If that assumption is correct, then it's no wonder why there is no "fix" for the browsers - it's because they are not broken. It's the servers that need to be secured.It's like when an airplane gets hijacked - we're asking the passengers to protect themselves rather than asking the airline to provide better security.
Clickjack ?
Leave a folded paper over your webcam when it's not in use. Lotech but effective.Mic has switch cam has not!
Cameras with built in microphone are set up for this problem, but yet again a switch either built on new cameras or a plain switch for a usb for cameras already on the market...Or as an auto rule I'm at the computer with clothing on.
Plus my camera is strictly used on what I want it used on so web browsers are out!
Another warning, who is listening?
Why does an application like Adobe Macromedia Flash have unrestricted access to the entire computer? If you still use this kind of software, you are being hit by your own ignorance. 'nuff said.I Don't Get It
These aren't attacks, they're pitfalls.Most "attacks" are possible because servers get compromised, and servers are most often compromised because they're serving up ads from anyone who will buy adspace.
Stop serving ads. Sanitize your inputs and queries. Ditch Adobe whenever possible (Flash, PDF). 99% of "attacks" mitigated.
easily fixed :O)
its about time adobe got its act together, theyre as bad as java (sun), but unless you want a bland web experience youve no choice but to use um grrrrrrrrrrr.
they dont let the unwashed masses know how easy it is to lock it down, it wouldnt do would it, webmasters would look for an alternative if everybody messed with it so they couldnt keep god knows what on ya machine, porn webmasters love its wide open security !!!!! O_o
well apart from the crappy setting in the flash player, guess what folks, if ya go here :- http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html theres a miriad of security settings and others you can alter to your hearts content :O)
as i said, how come they keep it such a secret, hmmmmmmmmm O_o
@Ted, forget the servers/browsers, THEY cant alter YOUR personal settings, by default they are set to WIDE OPEN, go to it peeps, lock adobes crap down !!!!!! :O)
Scammers have servers too
Hey Ted, it doesn't have to be a "compromised" server. Scammers have servers, too, and people still click on links in email messages, etc.Oops
"but if I understand it correctly"Apparently you do not. You probably should've stopped after the bit where you admitted that you don't know what you're talking about.
it's NOT "easy to fix", and it's not just flash
Although these comments focus on Adobe's vulnerability, clickjacking can also occur via everyday javascript. Here's what happens:Your website, let's use "theinquirer.net" as an example, provides valuable articles which people want to see. But the authors need to put food on the table, and pay mortgages, so they work with someone such as "googlesyndication.com" to place ad banners on their pages.
There's a TRUST relationship established: The Inquierer trusts the Google links NOT to contain "evil stuff". And Google is pretty good about this, but I feel that Yahoo! is less careful. So the starting place for these problems is the fact that nearly every website you visit links to somewhere else....
And here comes the vulnerability: The other place can directly contain malware, but is far more often hacked to contain an INVISIBLE, one pixel-tall iframe to yet another site (often with .ru suffix, run by Russian mafia). Not only is the site displayed, but it contains a form-- and the vulnerability is basically this: Just displaying the <iframe> can allow the criminal site to automagicially execute the button click. And the button click, of course, can result in file uploads and all kinds of wreckage.
There IS a workaround, however. Giorgio Maone, the expert quoted in this article, has been enhancing "noscript". It's not totally free of user intervention, but it's very, very good. It prevents javascript on a site-bysite basis.
Right on THIS page, right now, NOSCRIPT is showing me that there's javascript code being downloaded from googlesyndication.com, google-analytics.com, vnu.net, and grapeshot.co.uk. (As well as some script from within theinquirer.net.)
I get to individually allow/deny the code from all these sites (and in fact, at this moment, most of them are denied-- that's the default). Firefox with the newest noscript is really the ONLY WAY to be safe with javascript active these days.
Do keep in mind how easy it is for hackerz to attack web sites hosted on iis. And the owners won't even SEE the microscopic <IFRAME> elements which have been added to attack their visitors, if they merely look at the site in a browser without analyzing the code. This is a real problem, and it's not just flash--
although "flashblock" takes care of that other problem, too. :))
To all who replied to me above...
Liek I said, the browsers are not broken. The article clearly states, "...as clickjacking - a malicious attack on web servers - is spreading..." and, "...This attack works by directing a user to a pre-determined webpage chosen by the hacker...". Where exactly is this (re)direction coming from? I'll tell you - a legitimate web page that has been hacked.Despite that the article says, "Clickjacking, (we'll keep repeating it so it sounds real) has been identified as a vulnerability on many browsers..." - it is wrong. The browsers are doing exactly what they were designed to do - interpret code and execute that code. The problem is, the servers that host that code are "broke". That is, they are the ones vulnerable to the hacking, and therefore modification of the code, not the browser.
...and, Tim D - I did NOT say that I didn't know what I was talking about. I said that I don't know exactly how clickjacking works. Meaning that I don't know the specifics on how to do it, but I do understand how the process works. Learn to read more carefully so that YOU may know what you're talking about..
clickjacking
Another form could be making you play a flash game in which you click repeatedly. Then they can measure your avg. response time and pop up a malicious dialog box (like for installing a malicious addon) at the right place at the right moment beneath your mouse pointer. That's why firefox has that wait time before the "install" button on the install addon dialog becomes usable.