FAQ: Clickjacking -- should you be worried?

Nearly all browsers are vulnerable to this new attack class, but details are scarce

1 2 3 Page 3
Page 3 of 3

NoScript, which can be downloaded free of charge, has its drawbacks, though: Unless a user manually enables the switch-off-by-default content, many sites will either be unusable or prohibitively limited.

Take note: Giorgio Maone, the creator of NoScript, posted a very interesting entry on his blog Saturday that spells out the add-on's contribution to the clickjacking story. It's well worth reading.

When will the clickjacking problems be patched? That's a toughie.

Hansen had no clue, really -- although he was certain that the only sensible solution is for the browser makers -- Microsoft, Mozilla, Apple, Opera, Google and others -- to build protection into their applications. "The only people who can fix this in a scalable way are the browser vendors," he said.

He and Grossman have connected with Microsoft, Mozilla and Apple so far, companies that together account for more than 98% of the current browser market share. "All are working on solutions," Hansen said, though he's unsure just how high they're prioritizing the problem.

In the meantime, Adobe Systems is working on a fix, reportedly for Flash, although Hansen refused to confirm that last week. It was Adobe that convinced the pair to ditch their planned OWASP AppSec 2008 presentation and delay disclosing their research findings.

When will we know more about clickjacking? Soon. Hansen and Grossman said they will release nearly all of their research, including proof-of-concept code, when Adobe posts its patch.

Copyright © 2008 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
It’s time to break the ChatGPT habit
Shop Tech Products at Amazon