Security Now 1040: Clickjacking “Whac-A-Mole”

Hosts: Steve Gibson & Leo Laporte
Date: August 27, 2025

Episode Overview

In this episode, Steve Gibson and Leo Laporte dissect a series of hot-button security and tech issues: from Germany’s threat to outlaw ad blockers, to the legal and ethical dilemmas of AI and online privacy, to the age-verification chaos hitting Mississippi social networks, and—most importantly—the reality behind the latest browser “zero-day” clickjacking vulnerability affecting password managers. The hosts provide technical breakdowns, legal context, and practical insights with their customary wit and clarity.

Key Discussion Points and Insights

1. Germany’s Supreme Court & The Fight Over Ad Blockers ([12:34]–[28:03])

Case Background: Germany’s Federal Supreme Court has reopened the debate on whether browser-based ad blockers violate copyright, after a suit by Axel Springer against AdBlock Plus was previously dismissed.
Legal Argument: Axel Springer argues manipulating a website’s browser execution (e.g., hiding/blocking ads) is copyright infringement because their code (HTML/CSS/JS) is a “protected computer program.” Modifying the DOM or rendering tree is allegedly “unlawful reproduction and modification.”
Risks & Broader Impact: Steve warns this logic could outlaw not just ad blockers, but any browser extension or privacy tool (e.g., trackers, accessibility improvements). DNS filtering that blocks ad and tracker domains could also be imperiled.

“Imagine being held liable for the loss of revenue incurred from preventing oneself being tracked across the Internet, as if trackers had the legal right to profit from tracking us. Now, that's what this amounts to.”
—Steve Gibson [17:20]

Chilling Effect: Mozilla and privacy advocates fear a chilling effect on browser freedoms and extension innovation, with developers self-censoring functionality to avoid legal risk.
Ethics of Blocking Ads vs. Using AI: Steve reflects that if using ad blockers is ethically gray, leveraging AI (which “super-ad-blocks” content by stripping ads out in summaries) may be even more so—yet has become incredibly prevalent.

“The greatest mega ad blocker ever conceived is the emerging success of AI ... AI presents its users with exactly what they want, which is completely ad-free content that was originally obtained from almost always advertising-laced and supported websites.”
—Steve Gibson [22:22]

2. The Wild West of AI, Copyright, and Legal Showdowns ([28:03]–[37:01])

Active Lawsuits: Steve lists a dozen ongoing US lawsuits pitting AI providers against publishers, image rights holders, and software developers over “scraping” and fair use.
Industry Shifts: Major AI entities (e.g., Google) are now licensing content directly from news wires like AP, signaling a move away from blanket “scrape everything for free” models if legal judgments go against fair use.
Societal Schism: Leo observes a growing rift in public and professional sentiment for/against AI, amplified by fears about job loss, privacy, and IP theft.

“I'm already seeing that happen ... people are really dividing over this. Otherwise it's just going to be a war—between those who want it and those who don't want it.”
—Leo Laporte [31:55]

3. Child Safety, Age Verification, and Platform Exodus in the US ([48:35]–[67:05])

BlueSky Suspends Mississippi Access: In response to a new state law (HB 1126) requiring all users to verify age and submit personal info before using social platforms, BlueSky has blocked access from Mississippi IPs.
Law’s Background & Implications: Triggered after a tragic teen suicide involving online sextortion, the law is named the “Walter Montgomery Protecting Children Online Act.” Critics argue it overreaches, imposes severe burdens and privacy risks on smaller/newer platforms, and sets a troubling precedent for speech and anonymity.

“Age verification systems require substantial infrastructure and developer time investments ... This dynamic entrenches existing big tech platforms while stifling innovation.”
—BlueSky statement [50:40]

Technical & Social Hurdles: Accurate geofencing is flawed (VPNs and cell routing defeat it); Steve notes the online world has no mature, privacy-preserving infrastructure for scalable, federated age verification yet.

4. News Briefs: Global Security and Legal Policy Updates ([42:02]–[48:31])

UK Revokes Apple Backdoor Demand: UK reportedly dropped its requirement for Apple to provide decrypted backups, but process remains opaque and frustratingly secretive.
Microsoft 365 Throttling: To combat spam abusing new “onmicrosoft.com” tenants, Microsoft is limiting outbound mail from new tenants to 100 external emails/day.
Russia & Google Meet Disruptions: Russian government may be testing means to restrict/block Google Meet services—presaging broader splintering of global Internet services.

5. Security News Quick-Hits ([76:39]–[101:18])

Malicious “AI Prompt” Thwarts Spam Scanners ([76:39]):
Spammers are adding absurdly verbose, “looping inference” instructions to their emails in attempts to tie up/defeat AI email filters.

“This is the prompt that Captain Kirk used to destroy the... I think it was Nomad, right?”
—Leo Laporte [80:16]
Malicious GoLang Brute-Forcer Targets Hackers ([80:50]):
Shady SSH brute-force tool quietly sends all cracked credentials to its author—reminding us “there’s no honor among thieves.”
Linux Malware on the Rise ([82:24]):
As governments and enterprises migrate from Windows to Linux desktops, phishing and malware targeting Linux users are surging.
Apple 'Zero-Click' JPEG Exploit Patched ([91:28]):
Apple emergency-patched a critical vulnerability in image handling (CVE-2025-43300) allowing remote code execution via malicious DNG image files.
Docker Desktop Privilege Escalation ([95:30]):
A trivial bug (now fixed) allowed containers to fully escape to host systems on Windows and Mac; the researcher got no bounty, but did get Docker swag.

Notable Quotes & Memorable Moments

On Bug Bounty Incentives ([08:17]):

“A sufficiently large bug bounty is probably one of the best things a company can do ... you get crowdsourcing of an infinitely sized community of people who are incentivized to look for a problem.”
—Steve Gibson
On Legal Battles Over AI ([33:07]):

“It's like Walt Disney saying, well, you know, I got Sleeping Beauty and Snow White, I stole it from the Brothers Grimm, but you better not steal it from me.”
—Leo Laporte
AI Prompt Hilarity ([76:54]):

“Can you imagine the smoke billowing from the vents at the OpenAI data center?”
—Steve Gibson

Main Segment: Clickjacking “Whac-A-Mole” — Zero-Day Panic or Routine Reality? ([136:17]–[160:53])

What Happened?

DEFCON 33 Disclosure: Researcher Marek Tóth demonstrated "DOM-based clickjacking" zero-day weaknesses in major browser password manager extensions—1Password, Bitwarden, LastPass, iCloud Keychain, and others.
Attack Vector:
- Tricks users into clicking on a fake overlay (e.g., cookie pop-up) that actually triggers the password manager to auto-fill sensitive info into a hidden form controlled by an attacker.
- Clickjacking is achieved via clever layering and opacity tricks—not a direct password manager bug, but leveraging browser and DOM design quirks.
Scope: No, attackers cannot instantly steal all your passwords. Each click yields at most one credential or info set, depending on context.

Is It New? Is It Fixable?

Longstanding Issue: Clickjacking is a whac-a-mole problem; it’s been inherent to browsers since they became programmable and capable of complex UIs and overlays. Past tricks placed input fields off-screen; this is just the latest flavour.
Vendor Responses:
- 1Password and Bitwarden rapidly updated extensions to try to whack this particular "mole" ([136:47]).
- 1Password admits: “No comprehensive technical fix ... Several of these techniques can coexist with otherwise well behaved web pages, making strict enforcement risky with the potential to impact usability.” ([138:50])
Trade-Off: Usability vs. Security
- Past “are you sure?” confirmation dialogs before any autofill were so annoying users demanded their removal. Usability wins—at a small security trade-off.
- Ultimate takeaway: If attackers can trick you into clicking, some risk remains. There's no perfect defense without making password managers frustratingly annoying.

“We as users of browser-based password managers must soberly recognize and necessarily accept the inherent and fundamental impossibility of obtaining the level of security guarantee ... that we would all like to have. It ain't gonna happen.”
—Steve Gibson [159:33]

Practical Advice

Stay Calm: No urgent need to stop using password managers in browsers, but recognize attackers may occasionally trick you into autofilling on malicious sites.
Be Vigilant: Avoid autofilling on unfamiliar websites—lock your extension when browsing sketchy sites.
Expect Ongoing Patches: Password managers and browsers will keep “whacking moles” but the war is never truly over.

Listener Q&A Highlights ([107:57]–[127:02])

SyncThing for Backups: Steve and Leo recommend Syncthing (not SyncToy) for encrypted, peer-to-peer backups—cloudless, and soon to support encrypted remote copies.
Cloud Backup Service: Steve endorses sync.com for simple encrypted cloud backups, offering TNO (Trust No One) encryption and robust controls.
AI’s Unexpected Benefits: Listener describes how AI scraping allows some small businesses to save money by offloading traffic otherwise too expensive to serve directly.
ChatGPT for Personal Recipes: A user shares using AI as a persistent, evolving digital cookbook—illustrating how flexible and surprising AI-powered tools can be.

Timestamps for Key Segments

Germany Ad Blocker Legalities: [12:34]–[28:03]
AI Lawsuits, Fair Use, Ethics: [28:03]–[37:01]
UK & Apple Backdoor / Google Meet Russia: [42:02]–[48:31]
BlueSky Pulls Out of Mississippi (Age Verification): [48:35]–[67:05]
Clickjacking “Zero Day” Password Manager Debate: [136:17]–[160:53]
Listener Q&A (Syncthing, AI recipes, etc.): [107:57]–[127:02]

Conclusion

This episode encapsulates the thorny trade-offs of our modern digital world: the push-pull between privacy and surveillance, user freedoms and publisher rights, convenience and security. Steve and Leo expertly guide listeners through technical, legal, and ethical minefields—and remind us that many so-called "security emergencies" (like clickjacking zero-days) are in reality persistent, manageable nuisances rather than existential threats.

“Absolute security is really not available within today's browser environment, within any password manager, because they're sharing the same window... that's just the way it is.”
—Steve Gibson [160:53]

Show Links:

GRC.com (Steve’s site, including SpinRite, show notes, and more)
TWiT Security Now (Podcast home)

End of summary—Security Now #1040: “Clickjacking ‘Whac-A-Mole’”

Security Now 1040: Clickjacking “Whac-A-Mole”

Hosts: Steve Gibson & Leo Laporte
Date: August 27, 2025

Episode Overview

Key Discussion Points and Insights

1. Germany’s Supreme Court & The Fight Over Ad Blockers ([12:34]–[28:03])

Case Background: Germany’s Federal Supreme Court has reopened the debate on whether browser-based ad blockers violate copyright, after a suit by Axel Springer against AdBlock Plus was previously dismissed.
Legal Argument: Axel Springer argues manipulating a website’s browser execution (e.g., hiding/blocking ads) is copyright infringement because their code (HTML/CSS/JS) is a “protected computer program.” Modifying the DOM or rendering tree is allegedly “unlawful reproduction and modification.”
Risks & Broader Impact: Steve warns this logic could outlaw not just ad blockers, but any browser extension or privacy tool (e.g., trackers, accessibility improvements). DNS filtering that blocks ad and tracker domains could also be imperiled.

“Imagine being held liable for the loss of revenue incurred from preventing oneself being tracked across the Internet, as if trackers had the legal right to profit from tracking us. Now, that's what this amounts to.”
—Steve Gibson [17:20]

Chilling Effect: Mozilla and privacy advocates fear a chilling effect on browser freedoms and extension innovation, with developers self-censoring functionality to avoid legal risk.
Ethics of Blocking Ads vs. Using AI: Steve reflects that if using ad blockers is ethically gray, leveraging AI (which “super-ad-blocks” content by stripping ads out in summaries) may be even more so—yet has become incredibly prevalent.

“The greatest mega ad blocker ever conceived is the emerging success of AI ... AI presents its users with exactly what they want, which is completely ad-free content that was originally obtained from almost always advertising-laced and supported websites.”
—Steve Gibson [22:22]

2. The Wild West of AI, Copyright, and Legal Showdowns ([28:03]–[37:01])

Active Lawsuits: Steve lists a dozen ongoing US lawsuits pitting AI providers against publishers, image rights holders, and software developers over “scraping” and fair use.
Industry Shifts: Major AI entities (e.g., Google) are now licensing content directly from news wires like AP, signaling a move away from blanket “scrape everything for free” models if legal judgments go against fair use.
Societal Schism: Leo observes a growing rift in public and professional sentiment for/against AI, amplified by fears about job loss, privacy, and IP theft.

“I'm already seeing that happen ... people are really dividing over this. Otherwise it's just going to be a war—between those who want it and those who don't want it.”
—Leo Laporte [31:55]

3. Child Safety, Age Verification, and Platform Exodus in the US ([48:35]–[67:05])

BlueSky Suspends Mississippi Access: In response to a new state law (HB 1126) requiring all users to verify age and submit personal info before using social platforms, BlueSky has blocked access from Mississippi IPs.
Law’s Background & Implications: Triggered after a tragic teen suicide involving online sextortion, the law is named the “Walter Montgomery Protecting Children Online Act.” Critics argue it overreaches, imposes severe burdens and privacy risks on smaller/newer platforms, and sets a troubling precedent for speech and anonymity.

“Age verification systems require substantial infrastructure and developer time investments ... This dynamic entrenches existing big tech platforms while stifling innovation.”
—BlueSky statement [50:40]

Technical & Social Hurdles: Accurate geofencing is flawed (VPNs and cell routing defeat it); Steve notes the online world has no mature, privacy-preserving infrastructure for scalable, federated age verification yet.

4. News Briefs: Global Security and Legal Policy Updates ([42:02]–[48:31])

UK Revokes Apple Backdoor Demand: UK reportedly dropped its requirement for Apple to provide decrypted backups, but process remains opaque and frustratingly secretive.
Microsoft 365 Throttling: To combat spam abusing new “onmicrosoft.com” tenants, Microsoft is limiting outbound mail from new tenants to 100 external emails/day.
Russia & Google Meet Disruptions: Russian government may be testing means to restrict/block Google Meet services—presaging broader splintering of global Internet services.

5. Security News Quick-Hits ([76:39]–[101:18])

Malicious “AI Prompt” Thwarts Spam Scanners ([76:39]):
Spammers are adding absurdly verbose, “looping inference” instructions to their emails in attempts to tie up/defeat AI email filters.

“This is the prompt that Captain Kirk used to destroy the... I think it was Nomad, right?”
—Leo Laporte [80:16]
Malicious GoLang Brute-Forcer Targets Hackers ([80:50]):
Shady SSH brute-force tool quietly sends all cracked credentials to its author—reminding us “there’s no honor among thieves.”
Linux Malware on the Rise ([82:24]):
As governments and enterprises migrate from Windows to Linux desktops, phishing and malware targeting Linux users are surging.
Apple 'Zero-Click' JPEG Exploit Patched ([91:28]):
Apple emergency-patched a critical vulnerability in image handling (CVE-2025-43300) allowing remote code execution via malicious DNG image files.
Docker Desktop Privilege Escalation ([95:30]):
A trivial bug (now fixed) allowed containers to fully escape to host systems on Windows and Mac; the researcher got no bounty, but did get Docker swag.

Notable Quotes & Memorable Moments

On Bug Bounty Incentives ([08:17]):

“A sufficiently large bug bounty is probably one of the best things a company can do ... you get crowdsourcing of an infinitely sized community of people who are incentivized to look for a problem.”
—Steve Gibson
On Legal Battles Over AI ([33:07]):

“It's like Walt Disney saying, well, you know, I got Sleeping Beauty and Snow White, I stole it from the Brothers Grimm, but you better not steal it from me.”
—Leo Laporte
AI Prompt Hilarity ([76:54]):

“Can you imagine the smoke billowing from the vents at the OpenAI data center?”
—Steve Gibson

Main Segment: Clickjacking “Whac-A-Mole” — Zero-Day Panic or Routine Reality? ([136:17]–[160:53])

What Happened?

DEFCON 33 Disclosure: Researcher Marek Tóth demonstrated "DOM-based clickjacking" zero-day weaknesses in major browser password manager extensions—1Password, Bitwarden, LastPass, iCloud Keychain, and others.
Attack Vector:
- Tricks users into clicking on a fake overlay (e.g., cookie pop-up) that actually triggers the password manager to auto-fill sensitive info into a hidden form controlled by an attacker.
- Clickjacking is achieved via clever layering and opacity tricks—not a direct password manager bug, but leveraging browser and DOM design quirks.
Scope: No, attackers cannot instantly steal all your passwords. Each click yields at most one credential or info set, depending on context.

Is It New? Is It Fixable?

Longstanding Issue: Clickjacking is a whac-a-mole problem; it’s been inherent to browsers since they became programmable and capable of complex UIs and overlays. Past tricks placed input fields off-screen; this is just the latest flavour.
Vendor Responses:
- 1Password and Bitwarden rapidly updated extensions to try to whack this particular "mole" ([136:47]).
- 1Password admits: “No comprehensive technical fix ... Several of these techniques can coexist with otherwise well behaved web pages, making strict enforcement risky with the potential to impact usability.” ([138:50])
Trade-Off: Usability vs. Security
- Past “are you sure?” confirmation dialogs before any autofill were so annoying users demanded their removal. Usability wins—at a small security trade-off.
- Ultimate takeaway: If attackers can trick you into clicking, some risk remains. There's no perfect defense without making password managers frustratingly annoying.

“We as users of browser-based password managers must soberly recognize and necessarily accept the inherent and fundamental impossibility of obtaining the level of security guarantee ... that we would all like to have. It ain't gonna happen.”
—Steve Gibson [159:33]

Practical Advice

Stay Calm: No urgent need to stop using password managers in browsers, but recognize attackers may occasionally trick you into autofilling on malicious sites.
Be Vigilant: Avoid autofilling on unfamiliar websites—lock your extension when browsing sketchy sites.
Expect Ongoing Patches: Password managers and browsers will keep “whacking moles” but the war is never truly over.

Listener Q&A Highlights ([107:57]–[127:02])

SyncThing for Backups: Steve and Leo recommend Syncthing (not SyncToy) for encrypted, peer-to-peer backups—cloudless, and soon to support encrypted remote copies.
Cloud Backup Service: Steve endorses sync.com for simple encrypted cloud backups, offering TNO (Trust No One) encryption and robust controls.
AI’s Unexpected Benefits: Listener describes how AI scraping allows some small businesses to save money by offloading traffic otherwise too expensive to serve directly.
ChatGPT for Personal Recipes: A user shares using AI as a persistent, evolving digital cookbook—illustrating how flexible and surprising AI-powered tools can be.

Timestamps for Key Segments

Germany Ad Blocker Legalities: [12:34]–[28:03]
AI Lawsuits, Fair Use, Ethics: [28:03]–[37:01]
UK & Apple Backdoor / Google Meet Russia: [42:02]–[48:31]
BlueSky Pulls Out of Mississippi (Age Verification): [48:35]–[67:05]
Clickjacking “Zero Day” Password Manager Debate: [136:17]–[160:53]
Listener Q&A (Syncthing, AI recipes, etc.): [107:57]–[127:02]

Conclusion

“Absolute security is really not available within today's browser environment, within any password manager, because they're sharing the same window... that's just the way it is.”
—Steve Gibson [160:53]

Show Links:

GRC.com (Steve’s site, including SpinRite, show notes, and more)
TWiT Security Now (Podcast home)

End of summary—Security Now #1040: “Clickjacking ‘Whac-A-Mole’”

wavePod

Security Now 1040: Clickjacking "Whac-A-Mole"

Powered by Wave AI

Summary

Security Now 1040: Clickjacking “Whac-A-Mole”

Episode Overview

Key Discussion Points and Insights

1. Germany’s Supreme Court & The Fight Over Ad Blockers ([12:34]–[28:03])

2. The Wild West of AI, Copyright, and Legal Showdowns ([28:03]–[37:01])

3. Child Safety, Age Verification, and Platform Exodus in the US ([48:35]–[67:05])

4. News Briefs: Global Security and Legal Policy Updates ([42:02]–[48:31])

5. Security News Quick-Hits ([76:39]–[101:18])

Notable Quotes & Memorable Moments

Main Segment: Clickjacking “Whac-A-Mole” — Zero-Day Panic or Routine Reality? ([136:17]–[160:53])

What Happened?

Is It New? Is It Fixable?

Practical Advice

Listener Q&A Highlights ([107:57]–[127:02])

Timestamps for Key Segments

Conclusion

Summary

Security Now 1040: Clickjacking “Whac-A-Mole”

Episode Overview

Key Discussion Points and Insights

1. Germany’s Supreme Court & The Fight Over Ad Blockers ([12:34]–[28:03])

2. The Wild West of AI, Copyright, and Legal Showdowns ([28:03]–[37:01])

3. Child Safety, Age Verification, and Platform Exodus in the US ([48:35]–[67:05])

4. News Briefs: Global Security and Legal Policy Updates ([42:02]–[48:31])

5. Security News Quick-Hits ([76:39]–[101:18])

Notable Quotes & Memorable Moments

Main Segment: Clickjacking “Whac-A-Mole” — Zero-Day Panic or Routine Reality? ([136:17]–[160:53])

What Happened?

Is It New? Is It Fixable?

Practical Advice

Listener Q&A Highlights ([107:57]–[127:02])

Timestamps for Key Segments

Conclusion