I am at the first national OWASP conference in New York this week, giving a talk on Web 2.0, consumerization, and application security. There is much discussion at the conference about "clickjacking," partially because the researchers weren’t given permission to do an open session, which of course further fanned the interest.
Earlier today, CERT issued a statement on clickjacking, warning that multiple browsers, including IE, Firefox, Safari, Opera, and Chrome, are all vulnerable to the attack.
So what is clickjacking? The exact technical details of this attack and the associated vulnerabilities are a bit fuzzy at this point. But essentially, clickjacking constitutes an attack that inserts itself in the middle of a user’s interaction with a Web page through clicking buttons. Whenever a user clicks on a button in a Web page, the infected browser can get the user to perform any arbitrary click-related function, including redirecting the browser to a third-party site, replacing the legitimate “onclick” function with a different function, etc. This attack is different from the traditional code-inject attacks that overlay invisible iFrame on top of Web pages, because this attack does not require the compromise of server-side code. The browser alone can wreak havoc.
How serious is the clickjacking vulnerability? The researchers reported that the vulnerability does affect all popular browsers, which means it will affect a huge population of users.