New 'Clickjacking' Threat Could Compromise Your Webcam, Interrupt Striptease. NoScript to the Rescue?

Those kooky hackers, what will they think of next? The latest fad sweeping the underground community involves a new type of attack (new in how it's being used, anyway) dubbed 'clickjacking,' whereby surfers click on seemingly harmless websites only to end up unknowingly forfeiting control of their webcam and microphone.

So far, clickjacking has been confirmed to affect Adobe's Flash player and for every major browser, such as Firefox, Internet Explorer, Opera, Safari, and yes, it affects Google's Chrome browser too.

"It is a very serious problem," said Giorgio Maone, author of the NoScript Firefox extension. "Clickjacking is a very simple attack to build, and now that the details are out, any script kid can try it successfully. There's no estimate to the number of trap sites."

Maone went on to warn that clickjacking is impervious to signature-based scanning. Adobe has recognized the threat as being "critical" and is instructing users on how to turn off Flash access to webcams and microphones. But is it a cure all? According to Robert Hansen, CEO of SecTheory, Flash clickjacking represents but a single variant of what could turn out to be a widespread threat, and that the only real fix will be in changing existing web standards, not the individual applications themselves.

Not all hope is lost, though, and an update to Maone's NoScript extension purports to eliminate most, if not all clickjacking attempts. NoScript 1.8.2.1 features anti-clickjacking countermeasures, the most aggressive of which is called ClearClick. The updated extension can now detect if there is a hidden, embedded element in a web page and will then display a warning. That's great for Firefox users, but no such fix exists for everyone else, at least not yet.

Anyone inclined to think twice before firing up that webcam for an intimate 'I miss you' session the next time you're away on business?

Image Credit: Flickr mofeto