Firefox Add-on Blocks 'Clickjacking' Attacks
A popular Firefox add-on designed to block scripts and plug-ins has been updated to stymie the new "clickjacking" class of attacks, the extension's developer said Thursday.
The latest version of NoScript, a free extension for Mozilla Corp.'s Firefox browser, now boasts something that Italian developer and security researcher Giorgio Maone calls "ClearClick" to protect users from clickjacking attacks.
"Rather than relying on frame/plug-in blocking, which were already available, I decided to move on and add a brand new feature, developed from scratch, for people who couldn't bear blocking frames outright," said Maone in an interview conducted via instant messaging.
In a blog post earlier this week, Maone spelled out what ClearClick does in greater detail. "Whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals [to] you the real thing in 'clear,'" he said.
At that point, users can decide for themselves whether to continue clicking, or free up the mouse from the underlying -- and potentially exploitive -- content.
Clickjacking, which was coined just last month by a pair of American researchers -- Robert Hansen of SecTheory LLC and Jeremiah Grossman of WhiteHat Security Inc. -- describes attacks in which hackers and scammers hide under the cover of a legitimate site, then use that cover to disguise clicks. Among possible clickjacking exploits was one that Adobe Systems Inc. described this week in Flash that lets attackers secretly spy on users by getting them to turn on their computer's webcam and microphone without realizing they've done so.
"Clickjacking is bad, old and difficult to protect from because it depends Web features modern sites heavily rely upon today," said Maone. "It's also quite easy to pull [off] and unlikely to be fixed by a mainstream browser in the short term."
Although Hansen and Grossman have not yet released technical information of their clickjacking research -- they only outlined the threat in any detail yesterday -- Maone was able to create ClearClick by piecing together what clues had been made public in the last two weeks. He also got help from other researchers, including Hansen.
"Even without knowing the gory details of the [then still undisclosed] Adobe vulnerability, it was not hard analyzing the problem from a general mitigation perspective," said Maone. "[And] after I started speculating on the effectiveness of already existent NoScript features against clickjacking, notably IFRAME blocking, [Hansen] pinged me, also because he's a NoScript user himself, and we had some deeper discussion on NoScript's alternate and specific defenses."
NoScript uses the "canvas" HTML element to draw two snapshots, one of the clicked component only, the other of the top page with all its content, then compares the two images. If they differ, the extension triggers the ClearClick warning.
Maone was confident that NoScript with ClearClick would stop virtually every conceivable clickjack attack. "It conceptually shuts down any kind of clickjacking, either based on transparency, overlays, position, redressing and so on, because all the variants boil down to 'hide the element user is interacting with,'" he explained.
Hansen was not as certain that NoScript is the right answer.
"Giorgio is doing Mozilla a huge favor," he said in an interview Wednesday. "But I don't think that it's the best way to protect users." His objections: NoScript blocks much of the content that users expect to find on sites, and it's aimed at technical, not mainstream, users. "If my Mom was using NoScript, I'd be taking all kinds of technical support calls," he said.
Not surprisingly, Maone sees NoScript differently. "The problem is that many of the problems we're facing, and not just clickjacking, originate from the 'flat' security model of the Web, where everything is equally trusted and the boundaries between Web applications are very fragile," he said.
"NoScript takes a radical approach to this, dividing the Web in[to] 'trusted' and 'untrusted' -- the latter includes both unknown sites and those you explicitly marked as bad -- and this allows greater margin to outmaneuver Web-based threats," Maone added. "Playing on a field where all is trusted by default, like mainstream browser vendors are forced to do, makes security much harder, and in many cases impossible."
NoScript, available free-of-charge, works only with Firefox and other Mozilla-based browsers, such as Flock and SeaMonkey. Version 18.104.22.168, released Wednesday, includes ClearClick.