Clickjacking has been a hot topic for the past couple of months. This is an issue that might affect pretty well any browser platform except Lynx.

Wikipedia defines clickjacking as:

a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

Robert Hansen and Jeremiah Grossman have released a few items of information about what it is and how to prevent it but the presentation will be deferred until later this month when there should be a solution to the Adobe issue at least.

According to a story in the Register, among the most disturbing reported aspects of clickjacking is the capacity to turn the PC user’s microphone and webcam into snooping devices. This was supposedly achieved by a proof of concept game which used Flash (although it is claimed that javascript and DHTML could achieve the same results)

The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he’s clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner ad that’s part of a click-fraud scheme, or any other destination the attacker chooses.

If it’s any reassurance, the Register didn’t initially have much success at getting clickjacked in Firefox, although Internet Explorer worked immediately. Disabling your webcam when you aren’t actively using it is a very good start to prevention, although it won’t guarantee you will be protected against other intrusions.

Adobe have published instructions for a Flash Player workaround until they have dealt with the issue..