Hacked websites and clickjacking

[awesometbn]

Just a quick heads up to anyone who is not using Lynx as their web browser. There is a cross site scripting (XSS) vulnerability in most browsers called clickjacking. Lynx is not vulnerable because it is a text only browser. Just google the term clickjacking for links to articles and blogs.

What is clickjacking? Why should I care? Here is one answer from Robert Hansen and Jeremiah Grossman.

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […]

Say you have a home wireless router that you had authenticated prior to going to a [malicious] web site. [The web site] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.

:error:Below is an excerpt of another answer from WebMonkey,

Clickjacking is the worst sort of security risk — it’s transparent to the unwitting user, simple to implement and difficult to stop. The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.

Basically this is pretty bad and it's a big deal. You can protect yourself by using Mozilla Firefox as your browser with NoScript. There might be workarounds for other browsers that involve turning off Javascript, disabling ActiveX, and disabling IFRAME.

 

[pat J]

Ugh, i really hate javascript.

 

[DBWebDev]

This isn't an issue for internet marketers, perhaps for my Grandma who would just click on any old site on the interweb. People mainly get stung cos they don't know what they're doing, if you're careful and watch what sites you go on you should be fine. Don't think there's any need to start getting worried.

 

[erect]

Just a quick heads up to anyone who is not using Lynx as their web browser.

Lynx has a huge marketshare so 99% of internet users have nothing to worry about ... not!

 

[jryan21]

2001 called. They want their exploit back.

 

[wrstroud]

Just a quick heads up to anyone who is not using Lynx as their web browser.

phew...thank god i'm using lynx :error:

 

[zany zoroaster]

I don't know about the rest of the careless people on this forum, but I manually wget each page and interpret the raw HTML. You can't be too safe.

 

[Red_Virus]

But won't that take a lot of time !

I don't know about the rest of the careless people on this forum, but I manually wget each page and interpret the raw HTML. You can't be too safe.

 

[HarveyJ]

Shit! Does this mean I need to upgrade from Mosaic?

 

[Mahzkrieg]

Awesome responses.