How Big of a Threat is Clickjacking?

Robert Hansen, also known as RSnake, and Jeremiah Grossman were supposed to give a presentation at this week's OWASP AppSec conference in New York City. That presentation was never given due to the sensitive nature of the subject, "clickjacking." The duo voluntarily chose to cancel their speech, opting instead to work privately with several browser vendors as well as Adobe in an effort to shore up this critical vulnerability that they've discovered before going public with it.

So what exactly is clickjacking? Hansen and Grossman have developed proof-of-concept code which demonstrates a vulnerability in the architecture of what may turn out to be all existing Web browsers. Because of this flaw, a maliciously crafted website could be set up to trick a victim into clicking on a link leading to any destination which the hacker chooses. At this point, an unwitting user could fall prey to a number of different scenarios such as giving out their personal information, downloading malware, or even surrendering control of their computer.

Further details are sketchy at the moment but what is known is that Hansen and Grossman have been working closely with Adobe since one of their products, presumably Flash, is directly affected by the vulnerability. They have also had discussions with Microsoft and Mozilla concerning clickjacking, but all of the vendors involved have kept things close to the vest thus far. However, Adobe did thank the pair for not disclosing the flaw to the public.

One unconfirmed rumor going around implies that this vulnerability is not in any way JavaScript related, so disabling scripting or using add-ons such as NoScript may not protect you. On the other hand, Hansen did post the following message on his blog. "If you’re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come." Take heed, and stay tuned...