Clickjacking Threat To Firefox

Jan 30, 2009

Counterfeit links are able to deceive the Firefox and Chrome browsers, directing users to unintended websites.

Aditya K Sood of Secniche Security has published an article which claims that Firefox and Chrome are vulnerable to a certain form of clickjacking. For example, if a user wants to go to Yahoo.com and clicks (unwittingly) on a forged link, an embedded JavaScript function redirects them to a totally different site.

Sometimes this will be obvious, but other times the user will be unaware of the detour until it is too late. When the mouse is passed over the link, the original address is shown in the address bar, i.e., Yahoo.com. Depending on the intentions of the hijackers, the bogus website can activate malignant codes, offer spam, or convince the user he/she is on the original website in order to elicit passwords.
Users who want to know if the click trick works with their own browser can test it here. The source code enables the study of attacks.

A paper on clickjacking techniques is also available. Currently, the only protection against such an attack is to deactivate JavaScript.

Related content

Comments

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News