Adobe warns of ‘clickjacking’ attacks

By

Adobe has issued a security alert about its Flash software that makes it vulnerable to being abused by hackers in a practice known as clickjacking.

Adobe warns of ‘clickjacking’ attacks
Clickjacking involves subverting a web page so that when a visitor clicks on a link they are redirected to a site the hackers wants them to see. It is a variant of cross-site scripting attacks but appears to be more serious.

The details of the attack were due to be published at the OWASP NYC AppSec 2008 Conference but the talk was withheld at Adobe’s request until a workaround could be developed. The reportis available online.

“Let’s be clear though, the responsibility of solving clickjacking does not rest solely at the feet of Adobe as there is a ton of moving parts to consider,” said Jeremiah Grossman, co-founder of Whitehat Security and one of the researchers who uncovered the technique.

“Everyone including browser vendors, Adobe (plus other plug-in vendors), website owners (framebusting code) and web users (NoScript) all need their own solutions to assist incase the other don’t do enough or anything at all.”

He warns that almost all browsers are vulnerable because of the way they process graphics and only text-based browsers like Lynx are secure.

Grossman has demonstrated for example how a hacked Flash advert can be used to take over control of a computer’s webcam and microphone, turning it into a surveillance device.

“With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky. Things also performed, with a fair amount of ingenuity, quite easily,” he said.

US-CERT has also issued a warning on the practice and browser manufacturers are scrambling to come up with a method of defeating the attacks.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright ©v3.co.uk
Tags:

Most Read Articles

"Widespread data theft" hits Salesforce customers via third party

"Widespread data theft" hits Salesforce customers via third party

Home Affairs adds SecOps to new cyber risk overhaul

Home Affairs adds SecOps to new cyber risk overhaul

Exetel fined $694k over system 'vulnerability' for mobile number porting

Exetel fined $694k over system 'vulnerability' for mobile number porting

Attackers weaponise Linux file names as malware vectors

Attackers weaponise Linux file names as malware vectors

Log In

  |  Forgot your password?