CNET clickjacking comment

I went through the registration process for CNET, and after creating the account it said my username was already in use. So instead of asking a clarifying question at the original article, I have to make a separate blogpost here, and hope the reporter sees it….

Elinor Mills at CNET today mentioned Flash and webcams during a clickjacking article. I’ll snip out the relevant passages: “In a demo at CNET offices on Thursday, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it… In the Web cam demo, the iFrame created contains a Flash pop-up window that asks the user to grant permission to have the Web cam turned on. When the victim clicks the link, the Web cam is turned on and secretly begins recording everything the user does in front of the computer… In the Web cam scenario, the best defense is probably to put a post-it note or other item over the Web cam lens and to disable the microphone in the software, he said. Flash Player 10 provides some protection by preventing anything from obscuring the security permissions dialogue box, he said… More details are in a white paper on the technique, written by Grossman and Robert Hansen of SecTheory and published in September 2008.”

Key question: Were you using the current Adobe Flash Player, or the version current at the time of last year’s whitepaper?

If someone has a new way to make various browsers obscure Player’s permissions dialog, then we need to know about it. But from the description above, with Player version undescribed, I can’t determine whether there’s a new issue here.

Background: What is “clickjacking”?

(a) It’s a failure in website security where a malevolent third-party has either hacked in their own code, or persuaded a site to use third-party code through social services or advertising — basically a trusted website hosting untrustworthy content. It’s a flaw in website integrity.

(b) It’s a failure in browser security where third-party code can hide what the reader is clicking on — where What You See Is NOT What You Click. The browser vendors each seem to say their offering fixes at least some of the methods to defeat click integrity while others do not, which makes me wonder whether any browser has truly addressed this failure in browsers’ click integrity.

(c) Flash isn’t involved directly in this “What You See Is NOT What You Click” problem. It’s used as a poster child of what can happen when infected sites can take advantage of browser failures.

Summary: There’s a new article, but it is not clear whether there’s a new issue.