Cool Beans

The recent drama behind a grave browser vulnerability called clickjacking has caused the discoverers to pull their speech/presentation from the agenda today, the first day of the OWASP NYC AppSec 2008 Conference. Clickjacking refers to code that forces a user visiting a web page to click on anything the code-writer desires. Put another way, visit a page, click anything, and something else is substituted and you won't even know. The implications are far-reaching: Initiating XSS, forging ad click-throughs, linking bad exploits, and a whole lot of other potentially bad things beyond my understanding. 

Speakers RSnake and Jeremiah Grossman said they were working a for a few months on a proof-of-concept to be demo'd today at the conference. But at Adobe's request they decided to do "responsible disclosure" and would wait until Adobe had a chance to respond to the problem. While not specifically Adobe's problem, the exploit was instead described as inherently a browser problem with far-reaching effect on non-browser vendors. The vibe throughout their explanation was: It's that bad. They said they also notified other vendors including names dropped like Cisco, and the "two main browser vendors" Mozilla and Microsoft. (When one attendee asked, "What about Google Chrome?" RSnake replied, "I have no interest in going after the little guys...".)

The duo spoke in generalized and NDA terms to the conference attendees during a Q&A session.

Here is an audio recording I made of that conference Q&A session:

• Clickjacking_Censored_OWASP_NYC_08.MP3 (mp3, 22.6MB)

Update 10/7/08: RSnake and Grossman released a summary of the exploits, including how a Flash Player can be used to surreptitiously activate the microphone and webcam.