They know what you did online

E-Mail This Post/Page
May 6th, 2009 Priyanka Joshi

Twidontclick.jpgtter (a popular microblogging site) has been trying to fend it off, after it went under attack twice. Clickjacking is the latest hazard doing round on the web.

Twitter users first noticed the clickjacking prank in February and soon Twitter had shut it down. The site had tweets that carried a tag ‘Don’t Click’ followed by a link. Clicking the link took the user to a page that included a button that said ‘Don’t Click.’ Clicking the button automatically distributed the identical tweet. As imagined, this did spread pretty quickly.

Simply put clickjacking is an attack where some bad guy slips a malicious link invisibly onto a webpage or under a commonly used button on a website. When the user clicks on the link or rolls his mouse over the link, he becomes infected, explained security experts.

Although Twitter’s original fix wiped a page clean if it detected a malicious frame on its pages, but then hackers circumvented that and Twitter was forced to come up with another fix.

It is concealed spying, say security experts. “Web pages know what web sites you’ve been to …, where you’re logged in, what you watch on YouTube, and now they can literally ’see’ and ‘hear’ you,” wrote Jeremiah Grossman, founder and CTO of WhiteHat Security, in his blog post.

The threat has only grown with every passing day. Now, every big company that values its brand name is working to fend off clickjacking attacks. For instance, Microsoft has included a new clickjacking protection feature in Internet Explorer 8 that lets websites safeguard their sites and visitors without browser add-ons.  Adobe Systems too updated its popular Flash Player to fix vulnerabilities over clickjacking. Clickjacking is both a web and a browser problem, but the fixes are likely to come from the browser vendors.

To make matters worse, using JavaScript, an attacker could make the invisible target constantly follow the user’s mouse pointer, thereby intercepting his first click no matter where it happens on the current page. The latest version of NoScript, a Firefox browser plugin that blocks Flash, Java, and JavaScript, includes a new anti-clickjacking feature called ClearClick. It reveals transparent or concealed windows so the user can see attempts to co-opt clicks for malicious purposes.

Quite clearly clickjacking can turn into the worst sort of security risk. Why? Because it is transparent to the unwitting user, simple to implement and difficult to stop.

11 Votes | Average: 4.09 out of 511 Votes | Average: 4.09 out of 511 Votes | Average: 4.09 out of 511 Votes | Average: 4.09 out of 511 Votes | Average: 4.09 out of 5 (11 votes, average: 4.09 out of 5)
Loading ... Loading ...

This entry was posted on Wednesday, May 6th, 2009 at 6:06 pm and is filed under General, Tech. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

Disclaimer

All the content posted in the 'Business Standard Blogs' section, unless specified otherwise, are made by Business Standard employees. The content posted in 'Business Standard Blogs' does not follow routine internal Business Standard reviews and editorial processes and should be considered only as the views and opinions of the employees and not of Business Standard.
del.icio.us:They know what you did online digg:They know what you did online reddit:They know what you did online Y!:They know what you did online

6 Responses to “They know what you did online”

  1. priyanka Says:
    May 11th, 2009 at 10:53 am

    Thanks sandy…

  2. Sandy Says:
    May 10th, 2009 at 1:39 pm

    Very informative post.

    Cheers,
    Sandy

  3. Kamayani Says:
    May 8th, 2009 at 4:29 pm

    just for information — A clickjacked page can trick a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

  4. Priyanka Joshi Says:
    May 8th, 2009 at 4:16 pm

    Omigosh: Start twittering and you will see for yourself who it is meant for….!

    Jai: Dont get panicked…its not a twitter specific prob…but yeah a security threat nonetheless

  5. Omigosh Says:
    May 8th, 2009 at 4:13 pm

    Is Twitter for twits or is it open to smarter people as well?

  6. Jai Says:
    May 7th, 2009 at 7:26 am

    Does this happen with other sites too? Which sites have had it in past? I am on twitted but did not know that invisible malware too exists. How on earth are we to keep up with these hackers? Is there any prevention for same

Disclaimer

All the content posted under the 'Comments' category are made by the readers of Business Standard, unless specified otherwise. Business Standard is not responsible for the opinions of the readers and the content posted by the readers are not representative of the views and opinions of Business Standard.

Leave a Reply