A computer security researcher has released a new browser-based tool that can be used to experiment with next-generation "clickjacking" attacks along with details of the four new techniques.
Clickjacking is a style of attack where a user is tricked into clicking on certain parts of a Web page with hidden buttons that perform malicious actions. The hidden buttons are delivered by an invisible iframe, which is a window that brings other content into the target Web site.
Clickjacking become well-known in 2008 after researchers Robert Hansen and Jeremiah Grossman discovered a kind of attack involving Adobe Systems' Flash application that could give remote access to a victim's Web camera and microphone.
Since that time, many Web sites and browser makers have taken steps to shore up their defenses, but the vast majority of sites are not protected, said Paul Stone, a security consultant with Context Information Security in the U.K. He revealed four new kinds of clickjacking attacks on Wednesday at the Black Hat conference that are effective against most Web sites and browsers.
Stone showed one demonstration that used the drag-and-drop API (application programming interface) implemented in all browsers. With some social engineering, users can be tricked into dragging an item on a Web page, which would cause text to be inserted into fields.
"There are many things that this could be used for," Stone said. "You could send fake e-mails from a user's account. You could also edit documents in some kind of document-editing system."
pcworld
Wednesday, April 14, 2010
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment