Security researcher Robert Hanson (aka Rsnake) is warning of a new class of vulnerabilities that he is referring to as Clickjacking. So far Adobe has already issued an advisory for its Flash player to protect against Clickjacking vulnerabilities that could be exploited.
Understanding clickjacking isn’t that easy – it is in fact a form of what in lay terms I would think of as a cross site scripting issue though it really is more than that. Rsnake explains in a blog posting that:
First of all let me start by saying there are multiple variants of
clickjacking. Some of it requires cross domain access, some doesn’t.
Some overlays entire pages over a page, some uses iframes to get you to
click on one spot. Some require JavaScript, some don’t. Some variants
use CSRF to pre-load data in forms, some don’t. Clickjacking does not
cover any one of these use cases, but rather all of them. That’s why we
had to come up with a new term for it – like the term or not.
In total, Rsnake claims there are 8 different issues related to clickjacking only 2 of which are currently resolved in shipping applications. Adobe has issued an advisory for Flash and Adobe security researcher David Lenoe has blogged on this issue as well.
This potential ‘Clickjacking’ browser issue affects Adobe Flash Player’s microphone and camera access dialog. A Flash Player update to mitigate the issue will be available before the end of October. In the meantime, users can apply the workaround described in the Advisory.
Serious stuff – and definately a new threat vector that I expect we’ll see more of in 2008 and into 2009.