The Latest Threat: Clickjacking

Nov 10, 2008 Uncategorized

Learn More About Clickjacking

Tech news sites such as ZDnet have reported that clickjacking is a potentially serious threat that can affect any browser.

Clickjacking in a Nutshell

Briefly, clickjacking is accomplished by a malicious page hiding behind what appears to be a safe page.   When you click on an item, your computer is “clickjacked” by the malicious code, which then hijacks various components of your computer.  This occurs without your knowledge.

Typically, webcams are hijacked, but the clickjacking code can affect other areas of your computer equipment.   For example, your microphone or sound system can be exploited, or your computer can be taken over in other ways.

Adobe’s Flash Player was particularly vulnerable to clickjacking threats; however, Adobe has come out with a fix to address the issue.

What Browsers are Affected?

Clickjacking is a malicious piece of code that can affect any Internet browser. Merely disabling javascript will not fix it.

A “No Script” add-on that works with Firefox is the only known solution.

Problems with the Clickjacking Fix

After using No Script for a week or so, I disabled it because it made web surfing a chore. Virtually every site I visted was blocked to some degree because the page contained common elements such as javascript, affiliate ads or YouTube videos.  For instance, the following were all blocked by No Script:

  • Google Analytics
  • Pepperjam network
  • Peelaway Ads
  • Voxant’s newsroom
  • Chitika
  • and many, many more (see the partial list of affiliate programs and other utilities blocked by No Script).

There’s a little bit of good news for Google publishers and advertisers. Adsense is automatically whitelisted by the No Script add-on. Most of the others will need to be manually approved, and it is unlikely that the average Internet user will know that an ad is safe enough to whitelist.

If clickjacking is truly the threat that some would say that it is, and if solutions such as No Script are the only way to fight back, I can see that this situation will kill online advertising.   Even the big boys’ ads, such as those delivered by Adserver Plus, were blocked by the Firefox add-on.

Conclusion:  Maybe the Threat is Overrated

My web browsing experience is back up to speed since I’ve disabled No Script and so far I haven’t been hit by any type of clickjacking activities. It is possible that the threat is not as bad as some would claim.

The NotGuru blog has posted some videos that show exactly how clickjacking works and how to install fixes.

Tags: , , , ,

This entry was posted on Monday, November 10th, 2008 at 1:20 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>