
The details of the attack were due to be published at the OWASP NYC AppSec 2008 Conference but the talk was withheld at Adobe’s request until a workaround could be developed. The reportis available online.
“Let’s be clear though, the responsibility of solving clickjacking does not rest solely at the feet of Adobe as there is a ton of moving parts to consider,” said Jeremiah Grossman, co-founder of Whitehat Security and one of the researchers who uncovered the technique.
“Everyone including browser vendors, Adobe (plus other plug-in vendors), website owners (framebusting code) and web users (NoScript) all need their own solutions to assist incase the other don’t do enough or anything at all.”
He warns that almost all browsers are vulnerable because of the way they process graphics and only text-based browsers like Lynx are secure.
Grossman has demonstrated for example how a hacked Flash advert can be used to take over control of a computer’s webcam and microphone, turning it into a surveillance device.
“With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky. Things also performed, with a fair amount of ingenuity, quite easily,” he said.
US-CERT has also issued a warning on the practice and browser manufacturers are scrambling to come up with a method of defeating the attacks.