Yesterday I posted an entry explaining that smartphone users should pay attention to their web browsing to prevent clickjack attacks. That was just a general warning. Today I’d like to delve a little more into the details of smartphone clickjack attacks.
This is a prime example of why those of us who use iPhones, Blackberries, and similar devices should worry about clickjacking when we use our phones.
http://amyjoaquin.blogspot.com/2008/11/clickjacking-iphone-attack-by-john.html
In this article, John Resig discusses his experience at a 2008 iPhone development camp where he met some people developing JavaScript for the device. While talking to these developers he learned that they kept running into a bug that was causing some web page elements to jump off the screen. They were still there, but the user could not see them.
This concerned Resig because of its potential clickjacking implications. He got a sample test from one of the guys so that he could experiment on his own to determine whether users could actually interact with any of the elements that jumped out of the iframe.
It didn’t take long before he had confirmed his suspicions.
Apple isn’t run by a bunch of dummies, though. They were quickly looking for a solution to this problem, which they released with the iPhone 2.2.
That solves that problem, but it’s always a matter of time before clickjackers and other cybercriminals find a way to use the iPhone’s security against itself. After all, clickjacking uses one of the fundamental elements of the internet to truck users into doing things that they don’t even know they are doing.
Apple’s speedy update that corrected this potential clickjacking problem is one of the reasons that it’s important for people to use the latest technology instead of relying on old devices and software. If you’re still using an iPhone that uses the old software, then you’re still susceptible to this clickjack attack.
This goes for other smart phones and browsers as well.
Granted, if you hold on to the device for about ten years without making any changes, then there’s a good chance that you’ll be in the clear. Once your tech gets old enough, very few hackers will even think to focus on you. Then again, you probably won’t be able to use it for much either, so it’s kind of a win-lose situation…