Sunday, October 12, 2008

ClickJacking - A Perspective Problem

While ClickJacking is the latest apocalyptic threat in IT Security, I wanted to point out something yet again, as I did back when Dan Kaminsky reported his DNS flaw and it because catachlysmic for its 15 minutes of fame.

I've been reading interviews, insights, write-ups and blogs on ClickJacking and I've had so many discussions with some of you my head spins trying to remember it all but something I saw a couple of days (weeks maybe?) ago is staying with me so I looked it back up and wanted to briefly talk about it.

This quote from Jeremiah Grossman, is disturbing.
"Recently we're [Grossman & RSnake] told we’ve been told that its been known by the browser vendors since 2002." [CGI Security interview, 10/5/08]

Why is this disturbing, do you ask? Think about it. If this statement isn't stretching truth (and I haven't found Jeremiah to be a sensationalist) then this has been an open, the-sky-is-falling-drop-everything issue for ~6 years. Not 6 days, months but YEARS. So the question we have to ask ourselves [but already know the answer to] is why in the world is it still an issue in 2008?

I'd love to know a few things:
  • Why did we [security professionals] not freak out about this in 2002?
  • Why haven't IE7+ and Firefox (at least?) resolved this issue dead?
  • Why hasn't the standards body [the W3] taken this up as a standards issue?
The answer is simple, so painfully simple. Functionality wins over "vulnerability" every time.

Now, if you'll excuse me I'm going to go cancel my Internet connection, put a sledge-hammer to my computers and walk around aimlessly.

EDIT: Sun. Oct 12, 2:02pm CDT

I just read Jeremiah's comment, and then started reading the link he posted to the Bugzilla post on the bug Jesse Ruderman posted first in 2002, and Robert O'Callahan's (from Mozilla) continued stance against his views. I think it is important for everyone interested in security to read that thread to really understand what we [security professionals] are up against in the world of technology. Understandably functionalit has always been, and will always be the antithesis of security.

There is a much, much deeper conversation to be had here. If any of you are going to InfoSec World in Orlando in March, I'd like to get a "thought group" on this topic together. Email me directly and we'll put it together. I'm not saying we're going to solve anything - but maybe come up wth a better way to think this through as a community.


Jeremiah Grossman said...

As evidence: iframe content background defaults to transparent - Reported: 2002-06-29 02:06 PDT by Jesse Ruderman

#1 Probably because very few were interested in webappsec that long ago. I'd imagine several long forgotten issues still exist that will come around to haunt us.

#2 Because fixing it wouldn't have increased market share.

#3 That could be said of a great many things. :)

Rafal Los said...

@Jeremiah: Shouldn't you be on vacation? Thanks for the citations though...

#1) Yes, I'm worried about what "old is new again" things are lurking in the shadows
#2) Right again. It's always about making money, not about actually increasing security.
#3) I agree - but don't you feel "betrayed" by the supposed visionaries of our industry? It's the type of fundamental issue that created the DNS chaos a few months ago... What's next? I guess it's like the old aggage - "Pay me a little now, or pay me a lot later"...

This is just disappointing.

Marcin said...

You don't need to put together a thought group. That's already been done. See:

Rafal Los said...

@Marcin - OK, you got me... More like drunken philosophizing.


Anonymous said...

While it is always good to address vulnerabilities when you find out about them, it is not always optimal. Since there have been no known instances of clickjacking in the past six years, and plenty of instances of all sorts of other exploits, it seems reasonable to me to leave this one alone.

Vulnerabilities are a fact of life -- you'll never get rid of all of them, even with infinite resources. So you have to prioritize. Given the "worm era" was much more damaging, focusing on worms was a good choice.

Pete Lindstrom