gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76774 Posts in 13500 Topics by 1651 Members - Latest Member: insider4ever March 29, 2024, 03:58:51 pm
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Chrome, Firefox face clickjacking
gfx
gfxgfx
 

Author Topic: Chrome, Firefox face clickjacking  (Read 866 times)

0 Members and 1 Guest are viewing this topic.

Offline DaBees-Knees

  • WMW Team
  • *****
Chrome, Firefox face clickjacking
« on: February 03, 2009, 11:47:56 am »
http://news.cnet.com/8301-1009_3-10152438-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

Quote
Security researchers have discovered a flaw affecting Google's Chrome browser that exposes it to "clickjacking"--in which an attacker hijacks a browser's functions by substituting a legitimate link with one of the attacker's choice. Google has acknowledged the flaw and is working toward a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya Sood. Sood disclosed the flaw on Tuesday and has since posted a proof of concept on the Bugtraq vulnerability disclosure forum. "Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure. "The (clickjacking) issue is tied to the way the Web and Web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardized long-term mitigation approach," they said. However, Nishad Herath, an independent security researcher and CEO of Australian security consultancy Novologica, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed. Google's security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google's representative.

Clickjacking is a relatively new browser attack that security researchers Robert Hansen and Jeremiah Grossman gave a talk on it late last year at the Open Web Application Security Project security conference in New York. Such an attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's browser to send an HTTP request to a Web site of their choosing. "Clickjacking means that any interaction you have with a Web site you're on, for example like clicking on a link, may not do what you expect it to do," explained Herath. "You may click on a link that looks like it's pointing to a picture on Flickr, but in reality, it might first direct you to a drive-by-download server that serves malware. These types of attacks can be used to make you interact with Web services you're already logged onto in ways that you would never want to, without you even knowing that it has happened." 

Keep your eyes open for updates and be ahead of the crowd

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Chrome, Firefox face clickjacking
 

gfxgfx
gfx
©2005-2024 WinMXWorld.com. All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.031 seconds with 22 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!