Clickjacking Threat To Firefox

Jan 30, 2009

Counterfeit links are able to deceive the Firefox and Chrome browsers, directing users to unintended websites.

Aditya K Sood of Secniche Security has published an article which claims that Firefox and Chrome are vulnerable to a certain form of clickjacking. For example, if a user wants to go to Yahoo.com and clicks (unwittingly) on a forged link, an embedded JavaScript function redirects them to a totally different site.

Sometimes this will be obvious, but other times the user will be unaware of the detour until it is too late. When the mouse is passed over the link, the original address is shown in the address bar, i.e., Yahoo.com. Depending on the intentions of the hijackers, the bogus website can activate malignant codes, offer spam, or convince the user he/she is on the original website in order to elicit passwords.
Users who want to know if the click trick works with their own browser can test it here. The source code enables the study of attacks.

A paper on clickjacking techniques is also available. Currently, the only protection against such an attack is to deactivate JavaScript.

Related content

Comments

comments powered by Disqus

Issue 14: Raspberry Pi Handbook/Special Editions

Buy this issue as a PDF

Tag Cloud

Android Bruce Byfield Gnome KDE Kernel Linux Linux Pro Magazine Open Source Projects Red Hat Ubuntu events foss free software google

News