Friday, January 30, 2009

Flaw exposes Chrome, Firefox to clickjacking

Security researchers have discovered a flaw affecting Google's Chrome browser that exposes it to clickjacking where an attacker hijacks a browser's functions by substituting a legitimate link with a link of the attacker's choice.

Google has acknowledged the flaw and is working towards a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya K Sood.

Sood disclosed the flaw on January 27 and has since posted a proof of concept on the Bugtraq vulnerability-disclosure forum. "Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure.

While Google is working on a fix, a spokesperson for the Australian arm of the company pointed out that clickjacking affected all browsers, not just Chrome.

"The [clickjacking] issue is tied to the way the web and web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardized long-term mitigation approach," they said.

However, chief executive of Australian security consultancy Novologica, Nishad Herath, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.

Google's security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google's spokesperson.

Clickjacking is a relatively new type of browser attack. The attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's web browser to send an HTTP request to a website of their choosing.

"Clickjacking means that any interaction you have with a website you're on, for example like clicking on a link, may not do what you expect it to do," said Herath.

"You may click on a link that looks like it's pointing to a picture on Flickr, but in reality, it might first direct you to a drive-by-download server that serves malware. These types of attacks can be used to make you interact with web services you're already logged on to in ways that you would never want to, without you even knowing that it has happened."

Credit: Chrome, Firefox get clickjacked was originally published on ZDNet Australia.

  • What browser battle? They’re more alike than different
  • Five reasons why Chrome will crash and burn
  • No comments: