The release of the demo follows last month’s partial disclosure of the cross-platform attack/threat, which affects all the major desktop platforms: Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash. The proof of concept used Flash, but the writer went on to say that the same thing could have been achieved using Java, SilverLight, or Dynamic Hyper Text Markup Language.
The demo appears to be a simple game that tests how quickly a user can click on a series of moving targets. Behind the scenes, it combines a generic clickjacking attack with weaknesses in Adobe’s Flash technology to record the player using the PC’s video camera and microphone. Some of the clicks are real game clicks other are jacked clicks. Every time the click is needed to be jacked the content simply move behind the iframe using z-index.
The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he’s clicking on a link that leads to Google – when in fact it takes him to a money transfer page, a banner ad that’s part of a click-fraud scheme, or any other destination the attacker chooses.
Another security researcher, Aviv Raff, has also built a proof-of-concept exploit using a hidden iFrame to hijack clicks to snag Twitter followers. Raff’s demo invisibly overlays a blank page over the Twitter site and sets the”Click Me!” button on the spot where Twitter’s “Follow” icon is displayed. If the target is logged into Twitter, the click on Raff’s demo is actually executed on Twitter’s site.
The idea behind these clickjacking demos can be easily exploited to make it easier to launch drive-by malware download using social engineering techniques. The list of ways this can be abused might include government spying, corporate espionage, cyber stalking, click fraud, and much more. Turning off the webcam may limit the damage, but it doesn’t remove the underlying threat.
Until the affected vendors can come up with adequate patches/mitigations, users might want to move to Firefox + NoScript to get some level of security. Adobe recently issued an advisory giving step-by-step instructions for working around the threat while a fix is pending. The company also said it expected to patch the vulnerability by the end of October. Until now, makers of Internet Explorer, Firefox, Java, Safari, SilverLight and other programs vulnerable to clickjacking have not offered any patches.
More on CyberInsecure: