The Clickjack Fix and Its Side Effects

November 14th, 2008 • RelatedFiled Under

Learn More About Clickjacking

ZDnet and other technical news sites have reported that clickjacking — a potentially serious threat — can affect any browser.

A Look at Clickjacking

In laymen’s terms, clickjacking happens when a malicious page is hiding behind what appears to be a safe webpage.   When you click on an item, your computer is “clickjacked” by the malicious code, which then hijacks various components of your computer.This takes place without your knowledge.

Generally, webcams are hijacked, but clickjacking is not limited to affecting a cam. For example, your sound system or microphone can be exploited, or your computer can be taken over in other ways.

Particularly vulnerable to clickjacking was Adobe’s Flash Player, but Adobe has issued a fix that addresses the issue.

What Browsers are Safe?

Clickjacking is a malicious code that affects virtually all Internet browsers. There is no quick fix, such as disabling javascript.

The only known solution is a “No Script” add-on that works with Firefox.

Problems with the Clickjacking Fix

After using No Script for a week or so, I disabled it because it made web surfing a chore. Every site that I visited was blocked to some degree or another because the site contained YouTube videos, ads or javascript coding.  For instance, the following were all blocked by No Script:

  • Google Analytics
  • Pepperjam network
  • Peelaway Ads
  • Voxant’s newsroom
  • Chitika
  • and many, many more (see the partial list of affiliate programs and other utilities blocked by No Script).

There’s a little bit of good news for Google publishers and advertisers. Adsense is automatically whitelisted by the No Script add-on. Most of the others will need to be manually approved, and it is unlikely that the average Internet user will know that an ad is safe enough to whitelist.

If clickjacking is as bad of a problem as some say it is and if No Script and similar “script blocking” solutions are the only ways to fight back, then online advertising could take a major hit. Adserver Plus, Doubleclick and other big ad networks were blocked by the No Script add-on.

Conclusion:  Maybe the Threat is Overrated

My web browsing experience is back up to speed since I’ve disabled No Script and so far I haven’t been hit by any type of clickjacking activities. It is possible that the clickjacking threat is overrated.

The NotGuru blog has posted some videos that show exactly how clickjacking works and how to install fixes.

  

Post a Response

  • Popular

    Most Comments

    Search

    Tags

    Archives