Wednesday, September 17, 2008

Browser "Clickjacking" security discussion pulled

A presentation on security flaws in Adobe, effecting all major browsers is not going to be given after all:
Jeremiah Grossman and Robert "RSnake" Hansen say they planned to demonstrate serious "clickjacking" vulnerabilities involving every major browser during a presentation scheduled for September 24 at OWASP's AppSec 2008 Conference in New York. They canceled their talk at the request of Adobe, one of the developers whose software is vulnerable to the weakness, they say.
This is a big, big deal in the security field, for several reasons:
  1. Jeremiah Grossman and Robert Hansen are big, big names in the "White Hat" (good guy) security research community. If they think there's a problem, guys like me listen.
  2. OWASP is possibly THE web security group. They're non-corporate, and don't sell anything, so are very credible indeed.
  3. Adobe Acrobat basically runs in any browser that you'd want to use, which kind of blows some of my advice.
It's a nasty vulnerability, if it works the way they say it does:
The pair planned to disclose flaws in the architecture of all of today's web browsers that allow malicious websites to control the links visitors click on. Once lured to a fraudulent address, a user may think he's clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner add that's part of a click-fraud scheme, or any other destination the attacker chooses.
While this perhaps could be fixed on the web server (as opposed to the browser), this is extremely unlikely to happen. First, it might not be possible. Second, the web server's owner would have to know about the problem in their HTML - most won't. Lastly, the web server's owner would have to care, and unfortunately, that's not a bet I'd care to risk my personal information on.

Hansen struck a more conciliatory tone in discussing the cancellation.

"I must stress, this is not an evil 'the man is trying to keep us hackers down' situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on," he wrote, referring to some of the more visible examples of security researchers being forcibly muzzled.

Both my regular readers will remember the discussion of the Boston MBTA fiasco.

I'll post more when I find out more. As Drudge would say, "Developing ..." (gotta get me one of those flashy light thingies).

No comments: