We stick to basics thereby reiterating the hidden elements of security from this complex systems. We respect the researchers and hackers who work effortlessly to support community at par. We believe in hunting core to deface the reality of this machine world. The Niche of Security lockdown.
Optimized Derivative of Complex Security
Interview with SC Magazine - 28 January 2009Directing to SC Magazine Article
http://zeroknock.blogspot.com/2009/02/more-towards-clickjacking-simulating.html
I: When and how did you discover this vulnerability?
My research is focussed on browser architectural design issues and incessant attacks that can be triggered through it. Basically the research revolves around the open source browsers like google chrome, mozilla etc. The clickjacking is previously used in different terminology but last year the techniques were actually out through sectheory. My concern is the design level vulnerabilities in Google Chrome. Clickjacking was an outcome of the exploitation of hidden frames that were executed through a mouse driven event.Last year Secniche was giving vulnerabilities continuously to chrome at design level. I was actually impressed by Microsoft patching the clickjacking in Internet Explorer 8 Beta version by using the variant of frame bursting technique. The opera did the same.That drives me to design a generic POC to be tested for other browsers , of course from my side is Google chrome. So secniche released a POC adhered to that vulnerability.
I: Were you the person who originally reported it to Google?
The attack type was released last year which suggested that browsers were at stake of exploitation. So secniche was waiting whether the browsers tuned against this vulnerability or not. When we realized that, it was not actually done , an advisory was drafted and sent to Google. The point of talk was if the vendors knew that for a long period of time, why vendors did not patched it.
I: Should users stop using Chrome for now?
See I will never recommend that users stop using Google Chrome. Being an open source project it is summed up with efforts of lot of researchers. I believe research begets research. So my aim is to be constructive in every sense because security drives for community and we live by that. The motto behind the release of vulnerabilities is to develop and design high efficient browser for the users. That what we aim at and I stick to it. More of its a user choice but Google Chrome has good features like process granularity which I personally like a lot.
I: Do you think cybercriminals are taking advantage of this vulnerability and conducting clickjacking exploits yet?
You are quite right. That's what I mentioned, the motto behind an action matters. Yes this vulnerability can be exploited by the cyber criminals, one or the other way, to get the work done through victims. Clickjacking is a one variant but when attacks like CSRF combines with this, it will get more exhaustive and critical. I personally think vendors need to work against it. Microsoft is a perfect example for atleast taking a positive step ino this direction. So I personally feel applied security is required at every level. We can be secured only when we know how to secure our systems.
I: What browsers are vulnerable to clickjacking exploits?
Previously all browsers seems to be vulnerable because of the inherent iframe exploitation and manipulation. Still the signatures are positive in IE 7 and some previous versions.If we think the risk is over, actually it is not so. Many people are still using older versions where this attack can be dangerous.
Greets: