Jump to content

Clickjacking

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 87.86.255.107 (talk) at 19:45, 11 May 2012 (→‎Cursorjacking). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[1][2][3][4] It is a browser security issue that is a vulnerability across a variety of browsers and platforms, a clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.[5] The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.[citation needed] Clickjacking can be understood as an instance of the confused deputy problem.[6]

Description

Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, therefore the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

Examples

A user might receive an email with a link to a video about a news item, but another valid page, say a product page on amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.

Other known exploits include:

  • tricking users into enabling their webcam and microphone through Flash (which has since been corrected by Adobe);
  • tricking users into making their social networking profile information public;
  • making users follow someone on Twitter;[7]
  • sharing links on Facebook[8][9]

Likejacking

Likejacking, is a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to "like".[10] The term "likejacking" came from a comment posted by Corey Ballou[11] in the article How to "Like" Anything on the Web (Safely), which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.[12]

According to an article in IEEE Spectrum, a solution to likejacking was developed at one of Facebook's hackathons.[13] A "Like" bookmarklet is available that avoids the possibility of likejacking present in the Facebook Like Button.[14]

Cursorjacking

Cursorjacking is a UI redressing technique to displace the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, reasearcher at Vulnerability.fr, Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor. [15][16]

Prevention

Client-side

NoScript

Protection against clickjacking (including likejacking) can be added to Mozilla Firefox desktop and mobile[17] versions by installing the NoScript add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets.[18] According to Google's "Browser Security Handbook", NoScript's ClearClick is "the only freely available product that offers a reasonable degree of protection" against Clickjacking.[19] Protection from the newer cursorjacking attack was added to NoScript 2.2.8 RC1 .[15]

GuardedID

GuardedID (a commercial product) includes client-side clickjack protection for users of Internet Explorer and Firefox[20] without interfering with the operation of legitimate iFrames. GuardedID clickjack protection forces all frames to become visible.

Gazelle

Gazelle is a Microsoft Research project secure web browser based on IE, that uses an OS-like security model, and has its own limited defenses against clickjacking.[21] In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

Server-side

Framekiller

Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources.[19]

Such JavaScript-based protection, unfortunately, is not always reliable. This is especially true on Internet Explorer,[19] where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an <IFRAME SECURITY=restricted> element.[22]

Server and client

X-Frame-Options

On 26 January 2009 Microsoft released RC1 of Internet Explorer 8, which includes a new partial clickjacking prevention option. Web site developers will be able to add a page header to help detect and prevent frame-based UI redressing. IE 8, according to Microsoft, “will detect sites that insert the tag and give users a new error screen indicating that the content host has chosen not to allow their content to be framed, while giving users the option to open the content in a new window.” [23]

Microsoft's suggested solution,[24][25] which has since also been implemented in the Safari,[26] Firefox,[27], Chrome[28], and Opera[29] Web browsers, is to check for a new HTTP header, X-Frame-Options. This header can take the values DENY, SAMEORIGIN, or ALLOW-FROM origin, which will prevent any framing, prevent framing by external sites, or allow framing only by the specified site, respectively.

See also

References

  1. ^ Robert McMillan (17 September 2008). "At Adobe's request, hackers nix 'clickjacking' talk". PC World. Retrieved 8 October 2008.
  2. ^ Megha Dhawan (29 September 2008). "Beware, clickjackers on the prowl". India Times. Retrieved 8 October 2008.
  3. ^ Dan Goodin (7 October 2008). "Net game turns PC into undercover surveillance zombie". The Register. Retrieved 8 October 2008.
  4. ^ Fredrick Lane (8 October 2008). "Web Surfers Face Dangerous New Threat: 'Clickjacking'". newsfactor.com. Retrieved 8 October 2008. [dead link]
  5. ^ Sumner Lemon (30 September 2008). "Business Center: Clickjacking Vulnerability to Be Revealed Next Month". Retrieved 8 October 2008.
  6. ^ The Confused Deputy rides again!, Tyler Close, October 2008
  7. ^ Daniel Sandler (12 February 2009). "Twitter's "Don't Click" prank, explained (dsandler.org)". Retrieved 28 December 2009.
  8. ^ Krzysztof Kotowicz (21 December 2009). "New Facebook clickjacking attack in the wild". Retrieved 29 December 2009.
  9. ^ BBC (3 June 2010). "Facebook "clickjacking" spreads across site". BBC News. Retrieved 3 June 2010.
  10. ^ Cohen, Richard (05/31/2010). "Facebook Work - "Likejacking"". Sophos. Retrieved 2010-06-05. {{cite web}}: Check date values in: |date= (help)
  11. ^ Ballou, Corey (06/02/2010). ""Likejacking" Term Catches On". jqueryin.com. Retrieved 2010-06-08. {{cite web}}: Check date values in: |date= (help)
  12. ^ Perez, Sarah (06/02/2010). ""Likejacking" Takes Off on Facebook". readwriteweb.com. Retrieved 2010-06-05. {{cite web}}: Check date values in: |date= (help)
  13. ^ Kushner, David (June 2011). "Facebook Philosophy: Move Fast and Break Things". spectrum.ieee.org. Retrieved 15 July 2011.
  14. ^ Perez, Sarah (23 April 2010). "How to "Like" Anything on the Web (Safely)". ReadWriteWeb. Retrieved 24 August 2011.
  15. ^ a b Krzysztof Kotowicz (18 January 2012). "Cursorjacking Again". Retrieved 31 January 2012.
  16. ^ Aspect Security. "Cursor-jacking attack could result in application security breaches". Retrieved 31 January 2012.
  17. ^ Giorgio Maone (24 June 2011). "NoScript Anywhere". hackademix.net. Retrieved 30 June 2011.
  18. ^ Giorgio Maone (8 October 2008). "Hello ClearClick, Goodbye Clickjacking". hackademix.net. Retrieved 27 October 2008.
  19. ^ a b c Michal Zalevski (10 December 2008). "Browser Security Handbook, Part 2, UI Redressing". Google Inc. Retrieved 27 October 2008.
  20. ^ Robert Hansen (4 February 2009). "Clickjacking and GuardedID ha.ckers.org web application security lab". Retrieved 30 November 2011.
  21. ^ Wang, Helen J.; Grier, Chris; Moschchuk, Alexander; King, Samuel T.; Choudhury, Piali; Venter, Herman (August, 2009). "The Multi-Principal OS Construction of the Gazelle Web Browser" (PDF). 18th Usenix Security Symposium, Montreal, Canada. Retrieved 2010-01-26. {{cite web}}: Check date values in: |date= (help)
  22. ^ Giorgio Maone (27 October 2008). "Hey IE8, I Can Has Some Clickjacking Protection". hackademix.net. Retrieved 27 October 2008.
  23. ^ Mary Jo Foley (26 January 2009). "Near-final IE 8 test build ready for download". Retrieved 26 January 2009.
  24. ^ Eric Lawrence (27 January 2009). "IE8 Security Part VII: ClickJacking Defenses". Retrieved 30 December 2010.
  25. ^ Eric Lawrence (30 March 2010). "Combating ClickJacking With X-Frame-Options". Retrieved 30 December 2010.
  26. ^ Ryan Naraine (8 June 2009). "Apple Safari jumbo patch: 50+ vulnerabilities fixed". Retrieved 10 June 2009.
  27. ^ https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header The X-Frame-Options response header — MDC
  28. ^ Adam Barth (26 January 2010). "Security in Depth: New Security Features". Retrieved 26 January 2010.
  29. ^ "Web specifications support in Opera Presto 2.6". 12 October 2010. Retrieved 22 January 2012.

External links

Retrieved from "https://en.wikipedia.org/w/index.php?title=Clickjacking&oldid=492062744"