Technical Article Protect Yourself From ClickJacking With FireFox And NoScript October 10, 2008 by Joe Pruitt 4773 article applications clickjacking firefox isv solutions partner security us 0 Worried about losing your personal information? Yep, me too! The updated FireFox plugin NoScript aims to thwart the recently discovered ClickJacking class of browser based security exploits. Less than a month ago a new class of browser based security exploits were discovered that allows an attacker to get you to click on a button without your knowledge thus executing malicious code or inadvertently exposing personal information. Robert Hansen of SecTheory LLC and Jeremiah Grossman of WhiteHat Security Inc coined the term "ClickJacking". From Jeremiah Grossman: Think of any button on any Web site, internal or external, that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. The recommended protection at this point is to use FireFox with the NoScript plugin that enables frame/plug-in blocking. But, the latest version of NoScript goes one step further with a new feature called "ClearClick" specifically aimed at protecting users against ClickJacking attacks. Rather than relying on frame/plug-in blocking, which were already available, I decided to move on and add a brand new feature, developed from scratch, for people who couldn't bear blocking frames outright, said Italian developer and security researcher Giorgio Maone in an interview on Computerworld.com. In his blog, Maone spelled out what ClearClick does in greater detail: Whenever you click or otherwise interact, through your mouse or your keyboard, with an embedded element which is partially obstructed, transparent or otherwise disguised, NoScript prevents the interaction from completing and reveals to you the real thing in 'clear'. At that point, users can decide for themselves whether to continue clicking, or free up the mouse from underlying, and potentially exploitive, content. So, don't wait, hop on over to the Mozilla AddIns site and protect yourself with NoScript. As a side note, we had a great podcast a while ago with Jeremiah Grossman that you might want to check out! -Joe last modified: October 10, 2008 1 Comment(s): 0 ClickJacking Your Way Into Office You must be logged in to post comments.