Mozilla the open-source company as always has done its bit in providing users with the safest way to surf the internet. Mozilla is offering a new plug-in that would for the Firefox Browser that blocks clickjacking which security researchers are calling on of the dangerous problem on the Web.
Clickjacking occurs when a user a user accidently clicks on a invisible link which leads the person to a malicious site without their knowledge. This is possible due to the design feature in HTML which lets websites embed content from other sites. This means that every website is vulnerable.
The Firefox add-on NoScript is a very well known security Plug-in which is used to block all types of content in a webpage. However it is not a security scanner as it does not scan content with reference to a specific signature database to search for specific threats. It is a tool to block certain type of content. Firefox now comes with a added feature in this plug-in called ClearClick to fight Clickjacking.
Clickjacking is also known as user-interface redress attacks which should be blocked by NoScript plug-in, however there are a few downsides for the same.
But again the plug-in can only save users who have Firefox, the rest 70% who use other browsers are still at risk.
To combat clickjacking other browsers will come up with a fix soon. The only thing is that Mozilla realized the dangers and the others are still not concerned about the same.
However clickjacking is just not limited to websites, it can also be harmful for applications. A Live example of clickjacking was when a concept called “the clicking game” where people were told to click on a link on the right places to reconfigure the settings for the security for their webcams and microphone and in turn the victims gave access to their webcams and microphones.
More insights into Clickjacking:
In clickjacking, iframes and web page layers are used in DHTML in such as way that illegitimate buttons are overlaid on the existing legitimate buttons. The user when comes to a particular website thinks that he or she is clicking on a genuine link but they are instead clicking on something that’s harmful.
It really an interesting thing actually as very little is known about it and that leads to no tools to detect if a particular website is affected. We also don’t know how widespread clickjacking is. To develop a tool for the same what we need is more incidents where people are affected to study and find all the things that are possible with clickjacking. But the only problem with that is that by the time we learn all that it is too late and it has done all the harm that it could do. It’s just like installing a burglar alarm after the burglar has cleaned up your house.
How to disable Clickjacking?
The best way is to disable Flash. In Firefox however you have the plug-in now to protect you but you also have the option of extension called Flashblock which disables Flash scripts. It leaves a blank placeholder where you had a flash script which can be enabled by clicking on it. For Microsoft Internet Explorer you have to make changes in the Windows Registry.
Posted under Network and Security
This post was written by Brad on October 16, 2008
