RSSClickjacking is a technique that's sometimes used by various internet nasties to get users to unwittingly click on something they didn't intend to. Javascript is used to carefully position an invisible frame under the mouse pointer. When the user attempts to click on something visible on the page, the click is transmitted to the contents of the invisible frame instead.
This has been used in the past to trick a user into clicking through a Flash security dialog, allowing the site owner to secretly access a user's web cam and microphone. A patch was issued for Flash that doesn't allow the camera to be accessed in certain scenarios, but as James Padolsey illustrates with a Twitter Clickjack attack, there are numerous other ways for this trick to be used to fool a user.
Using the basic technique of positioning an iframe over a button coupled with Twitter's 'status' URL parameter I have created a small demo which shows you just how serious (and annoying) this could be!...
What does this mean? It means anyone can update your Twitter status without you knowing! Actually, it's YOU that's updating it, you just don't know at the time.
This is a pretty harmless example but I can imagine it being used for more sinister endeavours!
If you're a Firefox user, there's a browser addon called NoScript which can protect you from these sort of attacks. Besides allowing you to control which sites are allowed to execute Javascript, Flash, and Java, it also has a built-in tool called clearClick which compares any page you view in its unaltered form and with all of its iFrame's opacity set to 100%. If there are differences, it gives you a warning that there may be a Clickjack attempt present.
I use NoScript, and while it took a little patience to get used to, I think it is the most essential tool that I have added to Firefox.
Reply to this comment