Back to Top

Friday, January 09, 2009

Hack the Gibson #168

Read the reason for these posts. Read Steve Gibson's response.

Steve Gibson gets the description of the attack wrong (backwards):

It's possible to have something hiding below the surface, literally on, like, a layered page, where the user clicks on what they see, but what they're actually clicking on is content on the page behind.

In fact, looking at a professional description, we find that the GUI which needs to be clicked is placed in front of the page and then either is made invisible (so that you are clicking it, even though you are thinking that you click the stuff behind it) or it is only partially shown (ie just the part you need to click) in a misleading context (as shown on the GNU Citizen page I linked to).

An other inaccuracy: they talk about tricking you into doing something on eBay for example, and how they need to convince you to log in using your (presumably) stored credentials:

Leo: There's always a lot of trial and error in getting this to work. So they would have to do some clickjacks that would assume you're already logged in, and some that assume that you're not, but that your password's autofilling.

Steve: Yup.

This, in fact, is not necessary. It is quite easy to detect if you are logged in to an arbitrary site. See one example here (there are other ways too, mainly by detecting if a resource - which is available when you are logged in and isn't when you are not - can be loaded.

Finally, they don't mention all the ways to protect against this. Here is a much more complete list:

  • Update to Flash 10. Make sure that you independently confirm your Flash version (with something like Secunia PSI, which I'm a big fan of), since I found that sometimes the new version only gets loaded after you restart your computer. Also, remember that there are separate installers for Internet Explorer and "the rest of the world". Just because you updated in IE, it doesn't mean that FF or Opera is updated and vice-versa.
  • Don't let the browser save your passwords
  • Log out of site when you finished using them.
  • If possible, use an alternative browser to do your "sensitive" (ie. eBay, banking, etc) browsing (for example, if you are using FF usually, use Opera for that)


Post a Comment

You can use some HTML tags, such as <b>, <i>, <a>. Comments are moderated, so there will be a delay until the comment appears. However if you comment, I follow.