Hack the Gibson #168


Read the reason for these posts. Read Steve Gibson’s response.

Steve Gibson gets the description of the attack wrong (backwards):

It’s possible to have something hiding below the surface, literally on, like, a layered page, where the user clicks on what they see, but what they’re actually clicking on is content on the page behind.

In fact, looking at a professional description, we find that the GUI which needs to be clicked is placed in front of the page and then either is made invisible (so that you are clicking it, even though you are thinking that you click the stuff behind it) or it is only partially shown (ie just the part you need to click) in a misleading context (as shown on the GNU Citizen page I linked to).

An other inaccuracy: they talk about tricking you into doing something on eBay for example, and how they need to convince you to log in using your (presumably) stored credentials:

Leo: There’s always a lot of trial and error in getting this to work. So they would have to do some clickjacks that would assume you’re already logged in, and some that assume that you’re not, but that your password’s autofilling.

Steve: Yup.

This, in fact, is not necessary. It is quite easy to detect if you are logged in to an arbitrary site. See one example here (there are other ways too, mainly by detecting if a resource – which is available when you are logged in and isn’t when you are not – can be loaded.

Finally, they don’t mention all the ways to protect against this. Here is a much more complete list:

  • Update to Flash 10. Make sure that you independently confirm your Flash version (with something like Secunia PSI, which I’m a big fan of), since I found that sometimes the new version only gets loaded after you restart your computer. Also, remember that there are separate installers for Internet Explorer and “the rest of the world”. Just because you updated in IE, it doesn’t mean that FF or Opera is updated and vice-versa.
  • Don’t let the browser save your passwords
  • Log out of site when you finished using them.
  • If possible, use an alternative browser to do your “sensitive” (ie. eBay, banking, etc) browsing (for example, if you are using FF usually, use Opera for that)
, , ,

Leave a Reply

Your email address will not be published.