Firefox add-on blocks 'clickjacking' attacks

Computerworld - A popular Firefox add-on designed to block scripts and plug-ins has been updated to stymie the new "clickjacking" class of attacks, the extension's developer said today.

The latest version of NoScript, a free extension for Mozilla Corp.'s Firefox browser, now boasts something that Italian developer and security researcher Giorgio Maone calls "ClearClick" to protect users from clickjacking attacks.

"Rather than relying on frame/plug-in blocking, which were already available, I decided to move on and add a brand new feature, developed from scratch, for people who couldn't bear blocking frames outright," said Maone in an interview conducted via instant messaging.

In a blog post earlier this week, Maone spelled out what ClearClick does in greater detail. "Whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals [to] you the real thing in 'clear,'" he said.

At that point, users can decide for themselves whether to continue clicking, or free up the mouse from the underlying -- and potentially exploitive -- content.

Clickjacking, which was coined just last month by a pair of American researchers -- Robert Hansen of SecTheory LLC and Jeremiah Grossman of WhiteHat Security Inc. -- describes attacks in which hackers and scammers hide under the cover of a legitimate site, then use that cover to disguise clicks. Among possible clickjacking exploits was one that Adobe Systems Inc. described this week in Flash that lets attackers secretly spy on users by getting them to turn on their computer's webcam and microphone without realizing they've done so.

"Clickjacking is bad, old and difficult to protect from because it depends Web features modern sites heavily rely upon today," said Maone. "It's also quite easy to pull [off] and unlikely to be fixed by a mainstream browser in the short term."

Although Hansen and Grossman have not yet released technical information of their clickjacking research -- they only outlined the threat in any detail yesterday -- Maone was able to create ClearClick by piecing together what clues had been made public in the last two weeks. He also got help from other researchers, including Hansen.

"Even without knowing the gory details of the [then still undisclosed] Adobe vulnerability, it was not hard analyzing the problem from a general mitigation perspective," said Maone. "[And] after I started speculating on the effectiveness of already existent NoScript features against clickjacking, notably IFRAME blocking, [Hansen] pinged me, also because he's a NoScript user himself, and we had some deeper discussion on NoScript's alternate and specific defenses."