by now i'm sure just about everyone with even the slightest interest in security has heard about clickjacking, and most have probably even heard that adobe issued a patch that addresses clickjacking...
the problem is that clickjacking isn't exclusively a flash problem, it's a browser problem that could simply do a some extra things when flash is present...
specifically, without the flash patch a clickjacking attack could interact with a users microphone and/or webcam if either are present, allowing the attacker to spy on the victim...
that's pretty scary from an emotional point of view but not very interesting from a rational point of view... the majority (though not all) of online attacks these days are financially motivated and spying on individuals in the analog world doesn't easily lend itself to traditional models of cybercrime monetization where the victims' information is stolen en masse or their hardware is used to attack others... you might be able to steal information with a webcam or microphone, maybe, but that's something that definitely does not scale so you'd need to either target someone you expect to be able to get a lot of money out of or you won't make enough for it to be worth the trouble or risk...
what an attacker might be able to do is setup some sort of peep show website where the money comes from people paying him/her for access to feeds from compromised machines, but then the attacker would need to publicize his/her service and run an increased risk of capture...
what this ignores, however, is that clickjacking is not just about spying on people (or the other flash-specific things that fall under the clickjacking umbrella), that's just something you can do when flash isn't patched... clickjacking itself is still possible even after flash has been patched and all the attention given to adobe's flash patch may well cloud the issue that there is still a very troubling set of problems with virtually all browsers and, other than using firefox with noscript, very little ordinary people can do about it an the moment that doesn't break the internet for them... so while it is technically true that adobe did release a patch that addresses clickjacking, it only addresses those aspects of clickjacking that specifically affect flash... the rest of the set of attacks collectively known as clickjacking remain a problem for web users, site owners, and browser vendors alike...
0 comments:
Post a Comment