More details on clickjacking attacks

Robert from cgisecurity has posted an interview with Jeremiah Grossman concerning the extremely hyped Clickjacking attack. It’s not much, but it gives a little more insight for the issue. Read it now.

My take:

This is yet another vulnerability from which no one is safe. There are no means of effective protection as of yet, and the desire for the bad guys to exploit this for profit is just a matter of time. It’s kind of amazing how a group can discover a huge vulnerability that affects everyone, and most directly, the multi-billion dollar ad business to such an extreme degree, without immediate action on the vendors parts. It’s almost as if Microsoft’s history of ignoring the worst flaws is a microcosm of the entire industry. Their mindset is usually something like this:

“If you don’t work for us, you are against us. You probably broke the law to find the bug, and therefore are a criminal. Who cares about what you found or how potentially damaging it may be. So you say you are a good samaritan? Pfft… thats how people get trojans.”

All we can hope for is a better acceptance of the security research “market”. A bug is a bug regardless of who found it, or what their qualifications or history may be. Take this stuff seriously or pay the consequences.

Technorati Tags: clickjacking, crsf, dom, exploit, vulnerability

Related posts:
Clickjacking Demo Video A video demonstration of one possible use for clickjacking....
Tax break phishing scam aims to harvest details Xmas scam season kicks off Fraudsters with their finger on...
Exploit for unpatched WordPad, IE flaws in the wild After yesterday's epic Patch Tuesday, Exploit Wednesday brings news of...
Theoretical attacks yield practical attacks on SSL, PKI A paper published in 2007 describing a way of attacking...
Rise in attacks I was dropping some EC today and saw a couple...