Security Alert: How To Stop Firefox Clickjacking Exploit Attack

by on September 26, 2008 · 6 comments· LAST UPDATED September 26, 2008

in , ,

Really scary exploit attack in wild, which affects all browsers under any desktop operating systems including MS IE, Linux, Apple safari, Opera, Firefox and Adobe flash. Any website that uses CSS, flash and IFRAME (used to serve ads) can be used to attack on end users. Attacker is able to take control of the links that your browser visits. From the article:

In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.

According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.

How do I stop Clickjacking under Firefox?

There are two solutions.

Option #1: Disable everything

Disable scripting and plugins such as flash and others for the time being under Firefox (except adblock plus or no-script plugin). I've no idea how to do this under IE or other browsers. Under Firefox clock on Tools > Add-ons > Select each plugin and disable it.

Fig.01: Disable scripting and plugins

Fig.01: Disable scripting and plugins


Shutdown browser. Next, remove Adobe flash from system using apt-get or from your directory. If firefox 3 installed at /opt/firefox/, change directory to /opt/firefox/plugins:
# cd /opt/firefox/plugins
Delete flash and other plugins files:
# rm *
This should work for other browsers too.

Option #2: Use Noscript To Stop Attack

Download latest version of NoScript firefox plugin. NoScript for Firefox pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust. Once installed restar firefox. Click on NoScript icon located on bottom right status bar > Select options > Click on Forbid [IFRAME] > Ok

Fig.01: Mitigation for Clickjacking under Firefox with NoScript Plugin

Fig.02: Mitigation for Clickjacking under Firefox with NoScript Plugin

Bonus option # 3: Use lynx

Lynx and other text based browsers are not affected by this exploit. Lynx is a free open-source, text-only Web browser. Recent version works under Mac OS X, All versions of Windows and UNIX like operating systems. You install lynx using apt-get or yum command:
# apt-get install lynx
OR
# yum install lynx

Further readings:

  1. More info about clickjacking
  2. NoScript plugins
  3. Clickjacking demo / proof of concept demo (warning it will hijack your clipboard, to stop just close browser.)
  4. Clickjacking: Researchers raise alert for scary new cross-browser exploit
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!
1 Tim September 26, 2008 at 2:50 pm

This “fix” is heavy handed, an the fix will not work for most users. It takes away some of the most useful features of a modern web browser. The open source community of programmers should address this browser vulnerability ASAP.

Lynx and Links will not suffice.

2 Greg September 26, 2008 at 4:43 pm

Is this april fools?
Where does the quoted text come from?
And where is the link to the mozilla bugzilla?

3 Jaroslav Smid September 26, 2008 at 7:57 pm

They can gain links you visited even if you use NoScript or disable all plugins unless you don’t disable CSS! There is :visited selector in CSS that can eventually contain URI e.g. for background to php script, that browser will made request for when URI has been visited.
And who cares … they can only get links: they can’t get any password or private data as the link must be exact one. They can know, that I visited paypal.com a few minutes ago, but they don’t know enything else.

4 nixCraft September 26, 2008 at 9:07 pm

Is this april fools?
Noop, the quote is taken from the last link.

5 jimbob October 9, 2008 at 8:36 pm

Here’s a better way: Take a sledgehammer and smash your computer. That way you are guaranteed not to be a victim.

6 Gil October 9, 2008 at 11:19 pm

Ha! Lynx is still my favorite browser. Works so well, and even when you abort Quit, it happily says “Excellent!!”. Now, what other browser does that??

Comments on this FAQ are closed. If you'd like to continue the discussion on this topic, you can do so at our forum.

Tagged as: , , , , , , , , , , ,

Previous post:

Next post: