Tuesday, November 11, 2008

Clickjacking Affects All Browsers

Learn More About Clickjacking

ZDnet and other technical news sites have reported that clickjacking -- a potentially serious threat -- can affect any browser.

What is Clickjacking

In a nutshell, clickjacking is accomplished by a malicious page that hides behind a seemingly safe page.   When you click on an item, your computer is "clickjacked" by the malicious code, which then hijacks various components of your computer.This happens without your knowledge.

Typically, webcams are hijacked, but the clickjacking code can affect other areas of your computer equipment.   For example, your microphone or sound system can be exploited, or your computer can be taken over in other ways.

Adobe's Flash Player was especially vulnerable to clickjacking, but Adobe has come out with a fix to address the issue.

What Browsers are Safe?

Clickjacking is a cross-browser threat, meaning that the malicious code can affect Internet Explorer, Firefox, Chrome or any other Internet borwser. Merely disabling javascript will not fix it.

The only known solution is a "No Script" add-on that works with Firefox.

Problems with the Clickjacking Fix

After using No Script for a week or so, I disabled it because it made web surfing a chore. Virtually every site I visted was blocked to some degree because the page contained common elements such as javascript, affiliate ads or YouTube videos.  For instance, the following were all blocked by No Script:

  • Google Analytics
  • Pepperjam network
  • Peelaway Ads
  • Voxant's newsroom
  • Chitika
  • and many, many more (see the partial list of affiliate programs and other utilities blocked by No Script).

One of the few ad networks automatically whitelisted by the No Script add-on is Google's Adsense.   Most of the others need to be manually whitelisted and it is unlikely that the average Internet user is going to do so.

If clickjacking is as bad of a problem as some say it is and if No Script and similar "script blocking" solutions are the only ways to fight back, then online advertising could take a major hit.   Even the big boys' ads, such as those delivered by Adserver Plus, were blocked by the Firefox add-on.

Conclusion:  Maybe the Threat is Overrated

My web browsing experience is back up to speed since I've disabled No Script and so far I haven't been hit by any type of clickjacking activities. It is possible that the threat is not as bad as some would claim.

The NotGuru blog has posted some videos that show exactly how clickjacking works and how to install fixes.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)