How bad is clickjacking?
Another good question, but again, the answer's a little dodgy. "Attackers can do quite a lot," Grossman said in a blog post two weeks ago when he and Hansen announced that they'd pulled their presentation. "Some things that could be pretty spooky."
Not everyone's convinced this is a big deal, however. "The difficult thing is finding out what to do with this," said Dave Aitel, chief technology officer of Immunity, in a message to his Dailydave mailing list on Thursday.
In that same vein, there have been few sirens sounded by security teams or organizations. US-CERT (the United State Computer Emergency Readiness Team), which is under the US Department of Homeland Security umbrella, acknowledged the reports, but had no new information, and no advice except its standing recommendations for securing a browser.
Speaking of, what can I do to keep clickjackers back?
Not much at the moment.
Of the few concrete pieces of advice that have surfaced, one requires giving up the Internet as you know it, while the other will put a serious crimp in your browsing.
The first way to protect yourself from clickjacking is to switch to Lynx, an open-source text-only browser that harks back to the Web's Dark Ages: 1992. Although Lynx is better known in the Unix/Linux world, there are versions for Mac OS X and Windows.
Clickjacking won't work if you're using Lynx simply because there's no graphic content that an attacker can grab from it to pull over his own malicious code. But text-only browsing is, well, so last century....
Hansen, however, said that the combination of Firefox and NoScript, an extension that blocks JavaScript, Flash and Java content, would keep you safe from "a very good chunk of the issues, 99.99 percent at this point."
NoScript, which can be downloaded free-of-charge, has its drawbacks, though: Unless a user manually enables the switch-off-by-default content, many sites will either be unusable or prohibitively limited.
Take note: Giorgio Maone, the creator of NoScript, posted a very interesting entry on his blog Saturday that spells out the add-on's contribution to the clickjacking story. It's well worth reading.
When will the clickjacking problems be patched?
That's a toughie.
Hansen had no clue, really -- although he was certain that the only sensible solution is for the browser makers -- Microsoft, Mozilla, Apple, Opera, Google and others -- to build protection into their applications. "The only people who can fix this in a scalable way are the browser vendors," he said.
He and Grossman have connected with Microsoft, Mozilla and Apple so far, companies that together account for more than 98 percent of the current browser market share. "All are working on solutions," Hansen said, though he's unsure just how high they're prioritizing the problem.
In the meantime, Adobe Systems is working on a fix, reportedly for Flash, although Hansen refused to confirm that last week. It was Adobe that convinced the pair to ditch their planned OWASP AppSec 2008 presentation, and delay disclosing their research findings.
When will we know more about clickjacking?
Soon. Hansen and Grossman said they'll release nearly all of their research, including proof-of-concept code, when Adobe posts its patch.