I just came back from the first day of OWASP AppSec Asia 2008 in Taipei. Beside two t-shirts, I got to be among the first privilege group to preview Robert Hansen’s presentation on Clickjacking. The show is scheduled for the second day, tomorrow, but I have to fly to Kuala Lumpur. How lucky am I!

Getting back to the issue, clickjacking basically borrows the user’s mouse click to click on another unintended object such as a link, or a button. For example, the website shows you a link, you click on it thinking that you will be taken to the intended location. But hey, the browser sends a request to another location!

But that’s doable with plain JavaScript too. What’s new here is the click you made could be placed on a button of an ActiveX. Scary, no? The demo showed me that, with clickjacking, bad guys could force Flash player to turn on the microphone. When you visit a HTML page, some JavaScript activates a Flash component. This component asks the Flash player to turn on the microphone and starts recording. Normally, Flash player will pop up a dialog with an OK button to ask for your permission before doing so. Now, your mouse click, that you made on the HTML page, is borrowed and used to click on that OK button. And Flash player turns on the microphone. Or maybe the webcam. Or, wait, maybe something more than that. Whatever you can do with a mouse click, clickjacking allows the attacker to “help” you do that, silently.

Thank you Robert for the preview. It was way cool!

For the HITB 2008 KL goers, Jeremiah Grossman will be presenting the keynote “The art of Click Jacking” on the first day. And I will see you there too.