digg

Facebook Connect Join Digg About
See the original image at arstechnica.com

New clickjacking affects all browsers; cause remains unknown

arstechnica.com A team of researchers have pulled their intended presentation on a newly discovered clickjacking exploit, but at the moment, details are slim. Walk carefully tonight—the boogeyman is prowling.

Who dugg this? Made popular Sep 27, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

86 Comments

show profanity settings
expand all
  • inactive, on 09/27/2008, -1/+40Yeah, this has been happeneni
  • inactive, on 09/27/2008, -2/+40ng to me lately and it's pissing me off.
  • NeoNevermore, on 09/26/2008, -3/+36Does digg work well in lynx?
  • worldchanger, on 09/27/2008, -2/+24clickjacking. sounds like what Diggers spend most of their time doing.
  • inactive, on 09/26/2008, -4/+26Oh *****....
  • widman, on 09/26/2008, -0/+20From http://blogs.zdnet.com/security/?p=1973

    Firefox with NoScript by default "can defeat most of the possible attack scenarios (i.e. the most practical, effective and dangerous)" [...] "For 100% protection by NoScript, you need to check the “Plugins|Forbid ” option."

  • trogdor282, on 09/27/2008, -0/+16There's no way you could clickjack my br
  • rrobbins, on 09/26/2008, -0/+15I discovered a vulnerability in Opera concerning its handling of malicious SVG. I reported it and have not received any response.
  • 4321234, on 09/27/2008, -1/+13This could reinvent the Rick Roll.
  • specialK16, on 09/27/2008, -0/+10No, only when candlejack is menti
  • IllBeBack, on 09/27/2008, -0/+9Yes, because as we all know, Usenet does not use the Internet.

    /sarcasm.
  • pbryan, on 09/26/2008, -0/+8That's "Forbid IFRAME" -- I've removed the < and >. I suspect that Digg filtered-out the apparent HTML in your comment.

    So this gives us a clue. Apparently one must disable IFRAMEs in order to mitigate the vulnerability.
  • inactive, on 09/27/2008, -4/+11im gonna go out on a limb here and GUESS it has something to do with flash, a plugin supported by just about every browser, can apparently go full screen, cover regions outside its initial emb area. catch mouse clicks... do tons of other things.. and is an adobe product. which would explain why they would hold off when adobe asks

    maybe flashblock will protect you
  • beamster, on 09/27/2008, -1/+8If you would have bothered to read the article instead of firsting poor Steven here you would have learned that:

    "it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web."
  • widman, on 09/26/2008, -0/+7You should try SecurityFocus or some other respectable third party for ethical bug release arbitration. Most commercial vendors will keep you on hold as long as possible. Oracle does it for years, Microsoft for months.
  • pbryan, on 09/26/2008, -0/+6Considering Adobe is a central player in this as well, I'm going to go on a limb and say it's related to a combination of IFRAMEs and Flash.
  • rossiohead, on 09/27/2008, -1/+7oned out-loud.
  • widman, on 09/26/2008, -0/+6The reports say it isn't just Flash. In fact it seems it isn't just JavaScript related, either.
  • widman, on 09/26/2008, -1/+7There's MacLynx for that.
  • inkswamp, on 09/27/2008, -1/+6What part of "completely browser-agnostic" didn't you get?
  • widman, on 09/26/2008, -0/+5Wrong reply, sorry! (MacLynx)

    I can't find the latest lynx as the site seems down. But I just tested Digg on links, another text browser without JavaScript. Digg relies on JavaScript heavily, but it seems to work very basically. You see the first line of the comments and you can follow the link on the date to see the rest of the comment at the top of the new page. Also the comments seem to cascade well. Something like:

    * someuser123, {5 minutes ago}, -0/+3That's very cool, blah blah blah...
    [a few spaces] * someotheruser321 {2 minutes ago}, -0/+1YouTube original here:

    (Damn digg comments can't have spaces, html... So annoying.)
  • inactive, on 09/27/2008, -1/+5Ok first off - for all those who're like "it doesnt say chrome" Chrome is based on Webkit - as well as Safari.... so... the smart money is on - if it hurts Safari it hurts Chrome....

    Next - stay plugged into the nightly builds of your favorite browser and you'll be more likely to fix these types of problems before they have a chance to hurt you. I have a svn/cvs feed for Webkit and Firefox for their nightly builds. If you want to stay ahead of the major exploit curve... i recommend the same.
  • scoot2006, on 09/27/2008, -0/+4It's called graceful degradation when you can take away things like javascript or css and a (properly coded) site still has at least basic functionality and usability.
  • cday, on 09/27/2008, -0/+4FTA:"it appears to be completely browser-agnostic, and affects both Firefox 2 and 3, all versions of IE (including 8), and presumably all versions of Opera, Konquerer, Safari, and whatever other extremely marginalized and/or FailCat type of browser one might use to surf the web."
    .............................................................
    Being "browser-agnostic" is one thing. All of those browsers have Windows versions, so a better question might be; is it PLATFORM agnostic? I seriously want to know, does this browser-exploit work the same on non-Windows systems? Seems like a whole lot of useful information is missing here.
  • LordSturm, on 09/27/2008, -0/+4On a limb you are. :P

    "but voluntarily pulled the presentation after discovering that the 0-day flaw affected an Adobe product"

    Since Flash is an Adobe product, they would already have known this and it was no discovery if the exploit had anything to do with just 'Flash'.

    So no, not flash.
  • inactive, on 09/27/2008, -1/+5You fool! You're not supposed to mention candlej
  • Fabbyfubz, on 09/27/2008, -2/+6That picture scares me
  • LordSturm, on 09/27/2008, -0/+4Chrome is affected.
  • S5S5S5, on 09/27/2008, -0/+3The way I understand it, it has to do with a hidden IFrame in a web page, and subverting clicks to that IFrame unknown to the user. So you put an banking site in an IFrame and pass clicks in that IFrame to do bad stuff. Assuming this is the basics of the problem, NoScript add-on with IFrame blocking should protect you.
  • pbryan, on 09/26/2008, -1/+4And a very interesting coincidence that this was posted yesterday, and seems very related:
    http://lists.whatwg.org/pipermail/whatwg-whatwg.or ...
  • DeathfireD, on 09/27/2008, -0/+3or just cover the whole page like the myspace hackers do :P.
  • inactive, on 09/27/2008, -1/+4better stick to wget-ting a page at a time ;)
  • rheaume, on 09/27/2008, -0/+3You lost me at http
  • pbryan, on 09/26/2008, -0/+3Related links:
    http://ha.ckers.org/blog/20080915/clickjacking
    http://blogs.adobe.com/psirt/2008/09/thanks_to_jer ...
    http://www.breakingpointsystems.com/community/blog ...
  • coreyb, on 09/27/2008, -0/+3...seven days...
  • inactive, on 09/27/2008, -2/+5This sounds serious! TIme to shut down my PC and read porn instead!
  • widman, on 09/26/2008, -0/+3@pbryan: Thanks! I didn't notice the remove. Maybe digg should warn better when it takes out something.
  • joshualamgroup, on 09/27/2008, -0/+3Time to switch to Lynx :)
  • audiowizard, on 09/27/2008, -0/+3The same old goddamn rules apply. If you don't trust the domain don't ***** with it. This is a lame "exploit". So the site you're at can do whatever it wants with your keystrokes and clicks....I fail to see how this is a new exploit, any decent developer can do this. When i push that submit button Digg could direct me to a malicious porn site, oh my gosh!! They might even be logging my keystrokes, oh my! Can a mage please give digg an intellect buff?
  • specialK16, on 09/27/2008, -0/+3You are a web designer not a web programmer. :p
  • specialK16, on 09/27/2008, -0/+3Can you people please stop with that candlejack jok
  • Prismatic, on 09/27/2008, -1/+4Can anyone explain what click-jacking actually does? The article does not give a good explanation.
  • slayernine, on 09/27/2008, -0/+3I'm going back to the Usenet, screw this internet thing
  • MtheoryX, on 09/27/2008, -0/+3ack!
  • LordSturm, on 09/27/2008, -0/+3Romantic Literature?
  • Cl1mh4224rd, on 09/27/2008, -3/+5widman wrote:
    > "Maybe digg should warn better when it takes out something."

    Or they could just learn to use htmlspecialchars() like the rest of the civilized world...
  • inactive, on 09/27/2008, -0/+2Ok thats it. I don't see the humor in this whole "cj" thing at all. I mean, it's not like there's really someone named Candlejack out th
  • DrakeGTA, on 09/27/2008, -0/+2I should never have read that comment outlou
  • Spuy767, on 09/27/2008, -1/+3Looks like a very basic HTML level exploit. Perhaps creating something of a transparent link that covers somethign that users might actually want to click on.
  • MadMan714, on 09/27/2008, -3/+5Dugg for creepy thumbnail.
  • Fetching more discussions...
    Show 51 - 87 of 87 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.