From the ‘view source and all will be revealed‘ files:
Security researcher Aditya Sood posted a new clickjacking advisory early this morning affecting the Firefox 3.0.5 and Google Chrome web browsers. Sood did us all a favor though and posted a very clear Proof of Concept page (PoC)that clearly shows what’s going on.
Just to backtrack (no pun intended) for a sec – clickjacking is a new attack vector where a button/element is hidden underneath a legitimate element. The end result being that a users click has an unintended result. Microsoft claimed earlier this week to have clickjacking protection in IE 8, a claim that some have issue with as per a story of mine up now.
So back to the PoC here we go there is a simple href linking out to Yahoo! :
<a href=”http://www.yahoo.com” onclick=”clickjack_armor(event)”>Clickjack The Target (http://www.yahoo.com) : (http://www.xssed.com)</a>
In the PoC itself, Sood clearly shows in the text description that xssed.com is the target but if you do check the status bar of your browser it will just show yahoo.com – which is all the href has after all.
So what’s happening is a simple onclick event that Sood has called –clickjack_armor(event) – which calls the hidden frame (mydiv) element which sources xssed.com.
It’s really quite simple.
If you’re running Firefox without NoScript (and hey you really should run NoScript) this is a problem at least on the Firefox 3.0.5 version that I tested. On Google Chrome 1.0.154.46 (which is the latest stable release), I also tested the PoC and it also worked.
It does not however affect Microsoft IE – and I’m talking about IE 7 here so Microsoft’s new anti-clickjacking for IE 8 approach is not in play. This is a Javascript validation issue.
This is an issue that is trivial to exploit, though it does require user action (that is user must click). It also means that the user is on a site that has been compromised (or is malicious in some ways) since why else would anyone hide a frame in that way?
Also this attack vector as demonstrated by the PoC is not ‘stealing’ user credentials (yet) but could easily be part of a more sophisticated blended phishing attack.