I discovered that the latest Mozilla Firefox 3.1 which is in beta phase is susceptible to Clickjacking Attack. I conducted the test using two mechanisms,first was using iframe tag in background and div tag,
second was using mouse event handling function.
In the first kind of attack, attacker can load any website in background and places a button exact above any button on website in background. Now social engineering comes into scene.Clicking the button created by the attacker actually fires the button exactly beneath it which user can't see. Thus user is performing two actions at a time.
In the second kind of attack a link is provided to user directing to any well known website,even address bar of the browser will show the link of the well known website, but clicking it will lead user to any malicious site crafted by attacker. So the user will be clicking on attackers' link rather than his known link.
I contacted Mozilla with the issue in their latest product showed how it happens. I also pointed them in support of my claim that the attacks are not possible in updated Opera 9.63. Since the product is in beta phase their efforts are to make the thing safe.
Mozilla says:
second was using mouse event handling function.
In the first kind of attack, attacker can load any website in background and places a button exact above any button on website in background. Now social engineering comes into scene.Clicking the button created by the attacker actually fires the button exactly beneath it which user can't see. Thus user is performing two actions at a time.
In the second kind of attack a link is provided to user directing to any well known website,even address bar of the browser will show the link of the well known website, but clicking it will lead user to any malicious site crafted by attacker. So the user will be clicking on attackers' link rather than his known link.
I contacted Mozilla with the issue in their latest product showed how it happens. I also pointed them in support of my claim that the attacks are not possible in updated Opera 9.63. Since the product is in beta phase their efforts are to make the thing safe.
Mozilla says:
Hello Nilesh,
Thank you for contacting us with this information. We are currently tracking it regarding clickjacking and we are investigating various strategies for mitigating this type of attack. Should any questions arise regarding the material you provided, we will certainly contact you.
Best regards,
Brandon Sterne
Mozilla Security Group
Comments