Posted on Friday, January 30 2009 @ 7:20 CET by Thomas De Maesschalck
Security researchers discovered a "clickjacking" flaw that impacts both Google Chrome and Firefox, it enables an attacker to hijack a browser's functions by substituting a legitimate link with one of the attacker's choice.
"Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure.
While Google is working on a fix, a representative for the Australian arm of the company pointed out that clickjacking can affect all browsers, not just Chrome.
"The (clickjacking) issue is tied to the way the Web and Web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardized long-term mitigation approach," they said.
However, Nishad Herath, an independent security researcher and CEO of Australian security consultancy Novologica, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.
More info
at CNET.
