Email
Password
Remember meForgot password?
    Log in with Twitter

article imageClickjacking goes feral? Threat to Facebook, social sites

By Paul Wallis     Jul 8, 2010 in Internet
Clickjacking is the process of adding a hidden button to a website, and redirecting the click. This has been around for a while, but major leaguer software manufacturer PC Tools is now advertising a fix for “Facebook viruses” that clickjack.
The PC Tools blurb is indicative of the level of threat insofar as anti-clickjacking is now a selling point for this big company. The anti-clickjack spiel is part of PC Tools’ pitch for its new standard security software. The rather inaccurate description of clickjacking as a “Facebook virus” (It’s actually a described as a worm) is probably pure sales-speak. According to the BBC, which cites exactly the same process of clickjacking as PC Tools, hundreds of thousands of Facebook users were hit by a prank version. The BBC quotes security experts as saying it “could” be used to deliver malware.
OK, some people see the glass as half someone else's problem. There could well now be a real problem, after that prank attack. The big social sites are natural target practice for malware of all kinds, and prime hunting ground for clickjacking. Some of these sites aren’t “too big to fail”, but you could be forgiven for thinking they’re too big to function properly or quickly in response to threats like this.
The major browsers are vulnerable, not just the Holey Snail, Internet Explorer. Fixes are available, notably the No Script add-on, which neutralizes script functions like injection of Javascript and applets. Irritatingly, No Script is also said to work on a blacklist/whitelist mode, a Norton-like blocker of anything except allowed sites. That may not be an insurmountable hardship for users, but it’s fiddly and irritating at times when you’d prefer not to be fiddling about and irritated by the fact that you have to be fiddling about.
While the “Information Revolution” is busily undersupplying information, exactly what the big browsers are doing about it is open to discussion. Not much, if anything, is the immediate impression. There aren’t, as far as I can see, any specific anti-clickjack add-ons on Firefox’s somewhat apps-happy alerts and updates page.
Microsoft has a research project called Gazelle, which is a combination browser/operating system which can use operating system-like security on the browser. This looks very much like the cloud operating system Microsoft has previously flagged, and an anti clickjacking approach is a natural issue.
Clickjacking isn’t new software, or even a new idea. It’s an adaption of the hidden file function common on operating systems since at least Windows 98. It’s also a pretty basic version of web page making, easy to adapt to any site. Put the two together, and you get a basic version of clickjacking.
It’s also not a major step in malware beyond the clickjacking itself. The clickjack still has to translate into action, after hijacking. (You’ll have seen those mysterious pages which duplicate your search with a lot of ads, etc., on them. This is similar, but nastier.) Even on the most vacuous social site, people notice browser behavior, so there is some warning, and there are options. The best thing to do with a problem is shut down, or do nothing at all, if you’re seeing odd browser activities, or anything that doesn’t make sense.
Important: One thing clickjacking can’t do is access money without help. It needs to use malware and get personal information to get through the multi-layered security systems. On the slightest suspicion of anything not being right, do not enter any information whatsoever.
More about Clickjacking, Tools, Facebook virus
 
Latest News
Top News