NoScript is a free and open-source extension for Mozilla Firefox and allows executable web content such as JavaScript, Java, Flash, Silverlight and other plugins only if the site hosting it is considered is previously whitelisted.
Noscript has an advanced ClickJacking protection mechanism built in, which is known as ClearClick. (Clickjacking is a malicious technique of tricking users into revealing confidential information or taking control of their computer while clicking on seeminglwey innocent web elements).
While researching on Facebook Worms through LikeJacking (ClickJacking Facebook Like buttons), I came across a variant of the classic ClickJacking attack, that was not detected by NoScript. Though, for the attack to work, the website serving the script had to be whitelisted. Nevertheless, it was a important bypass, that needed to be fixed. The bypass was based on minimizing the detection threshold of the Iframe dimensions, while maintaining their effectiveness. Coordinating with NoScript Developer Giorgio Maone was a piece of cake, and the vulnerability was fixed immediately in Version 2.0.9.7rc1, and a stable version was pushed out a week later.
Facebook Security Team was also contacted regarding the LikeJacking attack, but they responded by stating that :
Our anti-clickjacking mechanisms are primarily heuristic based and are focused on detecting high velocity invalid clicks. Our systems automatically invalidate these clicks once they are detected. This approach has some obvious limitations, but it does a fair job of preventing clickjacking attacks from spreading too rapidly.
Preventing Like buttons from ClickJacking is indeed difficult as currently they are served within an iFrame, that can be easily redressed.
On ending notes, I re-emphasized the importance of avoiding execution of scripts and media on web pages, as far as possible. Also, using NoScript is advised, as it prevents attacks such as XSS, ClickJacking et. all with effectiveness, even on the whitelisted hosts. The original proof-of-concept of the issue can be found here.
Pingback: hackademix.net » ClearClick News