« Live-blogging Super-Typhoon Jangmi | Main

October 8, 2008

On clickjacking

I'm on the final leg of a three-week vacation/study in Taiwan. (Which, by the way, is a wonderful and underappreciated place, and which I believe would well repay your attention. But that's another post. ;-)

Anyway, I've been out of the loop, and have not been in direct contact with Adobe's security team, but see in the security blog that there is a new security advisory... it details how to turn off your webcam through a dialog, instead of just turning it away when not in use. But I also see there's a whole bunch of news commentary bashing Flash on a "clickjacking" exploit. Flash is taking the piss on this.

What is "clickjacking"? Details are starting to emerge, from people who have reverse-engineered the prior (and rather thankfully vague) reports. It seems to be just using IFRAME and other old DHTML techniques to slide something atop an innocuous clickable link in an HTML page. There are variants using JavaScript or other techniques.

The Flash connection? Someone was able to slip something atop Flash's webcam permission dialog, so you could grant access to your cam without knowing.

Flash seems incidental to the exploit, but is taking the brunt of the PR damage. This is becoming a common pattern. I am annoyed.

Now remember this is me talking, not Adobe corporate, but there seem to be two takeaways here, and neither involves Flash at all:

1. Today's browsers cannot guarantee click integrity. They are all broken and insecure.

From everything I can read in the public record, Flash is doing just exactly what it says it will do, and it's the surrounding WWW Browser rendering engine which is setting up the clickjack exploit. Flash just happens to be more powerful than browsers, and works across all of them too, so it's naturally a dramatic storyline.

But web browsers cannot assure that you're clicking what you think you click. All the noise about HTML5 and "Open Web" posturing and such becomes more ludicrous when you can't get even the basics right.

Today's browsers cannot guarantee click integrity.

This wouldn't be quite so bad, if it weren't for takeaway two:

2. "Web 2.0" mashups and third-party content are not properly vetting the instructions they are asking your website to republish.

Think about which types of webpages would host this exploit. Warez sites open you to infection, of course, so untrustworthy websites are now risky. Your bank's site is probably safe, unless their server was hacked and is serving malware unknowingly. But generally, this IFRAME clickjack occurs when nice sites promiscuously accept instructions from bad webservices.

Take a look at a TechCrunch page sometime, or any other big Web20-y kind of site, using a utility like AdBlock Plus or a website speed analyzer or even monitoring your IP address's HTTP requests. There are hundreds of assets retrieved for each page, notifying many, many domains that your IP address has visited that page. These "web beacons" enable cross-site tracking of your surfing history, and most tech pundits aren't copping to the fact that Google AdSense is potentially enabling Al Gore's old visions of Clipper Chip and Echelon surveillance.

It's the MySpace-like, Facebook-like mashup which seems to enable this class of deception and vulnerability. Web 2.0 is broken, if it accepts unknown, untrustworthy instructions from strangers. It's like picking up and eating a sandwich that you find on the sidewalk... might be a viable tactic the first few times, but sooner or later the odds will catch up with you. The mashup culture is not adequately validating its inputs.

Okay, that's my rant. I'm angry that headlines are copying each other with "ooh flash vulnerability!" and don't seem to be addressing the real core issues. Browsers are currently clearly broken, and mashups are currently clearly broken, and we've got to buckle down and deal with it.

Browsers can get fixed by limiting their scope of functionality so that you can safely visit any strange page, and by putting advanced functionality into a separate abstraction layer (like Flash) which is distinct from the browsers' layer of scope. HTML5 is moving in precisely the wrong direction.

Web 2.0 can get fixed by everyone viscerally realizing that you cannot just blithely accept instructions from strangers, whether it's an IFRAME into your webpage, or an anonymous comment on a weblog, or a Digg recommendation or whatever... there needs to be accountability, people need to bet their reputation on the info to which they're asking you to attend.

Sliding evil content atop dialog boxes to catch clicks and reuse them otherwise... a basic flaw in DHTML, a basic flaw in trusting untrustworthy third-party content.

And if the newspaper headlines can't get this right, it's a basic flaw in online commentary, too.

(NB: Comments on this old weblog are not enabled, but it's the only password I've got stored on my nifty Nokia Internet Tablet. I'll be developing these ideas further on my current blogs.adobe.com/jd once I return from vacation.)

Posted by JohnDowdell at October 8, 2008 4:00 PM