It looks like the bug never saw malicious use in the wild, because the developers who noticed it alerted Apple and kept the bug secret while it was fixed. Like other clickjacking attacks, the most likely use is to get a user to inadvertently click an ad. Although, an even more dangerous example is shown to harvest passwords.

If the StreetView and Maps additions in the latest iPhone software wasn’t enough to get you to download the free update, let this attack be reason enough.

Though the bug was apparently discovered by developer Wayne Pan, it was submitted by jQuery creator John Resig. Resig just keeps showing up for his various work. In addition to jQuery, he’s on the Firebug team at Mozilla, performance testing browsers and creating JavaScript animations.

See also:

• A Look at the ‘Clickjacking’ Web Attack and Why You Should Worry
• Hackers Are Watching You: Flash Clickjacking Vulnerability Exposes Webcams and Mics
• Flash Player 10 Solves Some, but not all ‘Clickjacking’ Attacks

The vulnerability affects all browsers with Flash Player installed, approximately 99% of browsers (that means you). Adobe has responded with the following instructions, which turns off all webcam and mic access from the internet:

1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
2. Select the “Always deny” button.
3. Select ‘Confirm’ in the resulting dialog.
4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

Jeremiah Greene and Robert Hanson from White Hat Security found the exploit over a month ago and were prepared to present the information to a OWASP conference. Adobe caught wind of the vulnerability and delayed the presentation to give its developers a chance to patch up the bug. Now, Greene and Hanson have gone public with the information.

A video demonstration of the attack can be found on Greene’s blog and below.

Clickjacking Camjack Demonstration from Jeremiah Grossman on Vimeo.

‘Clickjacking’ is a a newly discovered threat which invisibly places poisonous links invisibly under your mouse. When you click anywhere on the infected web page, the invisible link is activated. Unsuspecting users could then unknowingly install viruses or malware thinking they clicked on a legitimate link instead.

The attacks use existing widely used technology, such as JavaScript events, which make the abuse widely effective and difficult to prevent. The only true way to protect yourself from being a victim of clickjacking would be to turn off JavaScript via browser preferences or plug-ins like NoScript.

See Also:

• A Look at the ‘Clickjacking’ Web Attack and Why You Should Worry
• Scripting Attacks Plague Even the Web’s Largest Sites
• Firefox 3 Highlights Websites’ Security Failings
• Yahoo Takes on Malware Sites With New Security Tools