Clickjacking
From Wikipedia, the free encyclopedia
Clickjacking[1][2][3] is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[4] A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.[5]
Clickjacking (a term coined by Jeremiah Grossman and Robert Hansen in 2008) can be understood as an instance of the Confused deputy problem [1]. A simple countermeasure is to use framekiller JavaScript to prevent the site from being included in a frame.
Contents |
[edit] Example
Clickjacking, also known as UI Redressing, is possible not because of a software bug, but because seemingly harmless features of web pages can perform unexpected actions.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.
For example, a user might play a game in which they have to click on some buttons, but another authentic page like a web mail site from a popular service is loaded in a hidden iframe on top of the game. The iframe will load only if the user has saved the password for its respective site. The buttons in the game are placed such that their positions coincide exactly with the select all mail button and then the delete mail button. The consequence is that the user unknowingly deleted all the mail in their folder while playing a simple game. Other known exploits have been tricking users to enable their webcam and microphone through flash which since has been corrected by Adobe, tricking users to make their social networking profile information public, make users follow someone on twitter, etc.
[edit] Prevention
Mozilla Firefox has no native protection against Clickjacking. Protection against clickjacking can be added by installing the NoScript add-on: its ClearClick[2] feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all the types of Clickjacking (i.e. frame-based and plugin-based).[6]
On the server side, web site owners can protect their users against UI Redressing (frame based Clickjacking) by including a Framekiller JavaScript snippet in those pages they do not want to be included inside frames by other pages from different sources.[7]
Unfortunately, such JavaScript-based protection is not always reliable, especially on Internet Explorer[7] where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an <IFRAME SECURITY=restricted> element.[8]
On 26 January 2009, Microsoft released RC1 of Internet Explorer 8 which includes a new partial ClickJacking prevention option: web site developers will be able to add a tag in a page header that will help detect and prevent frame-based UI Redressing. According to Microsoft, IE 8 “will detect sites that insert the tag and give users a new error screen indicating that the content host has chosen not to allow their content to be framed, while giving users the option to open the content in a new window.” [9] According to NoScript's developer Giorgio Maone, though, this feature can be regarded as a work-around for Framekillers being broken on IE, and "if a web site owner is skilled and careful enough to implement" this countermeasure, "he will surely deploy the simple and understood JavaScript frame busting one-liner too, and every browser is equally protected".[8]
However, both Framekillers and IE8's mitigation approach require web developers to actively protect vulnerable pages by modifying their content or the way they are served, and even on "protected" pages they cannot prevent plugin-based Clickjacking variants, which don't need frames. Therefore the NoScript add-on for Firefox still remains the only free product providing automatic client-side protection, with no need for awareness and cooperation from the web site authors.[7]
[edit] References
- ^ Robert McMillan (2008-09-17). "At Adobe's request, hackers nix 'clickjacking' talk". PC World. http://www.pcworld.idg.com.au/index.php/id;979405561. Retrieved on 2008-10-08.
- ^ Megha Dhawan (2008-09-29). "Beware, clickjackers on the prowl". India Times. http://infotech.indiatimes.com/quickiearticleshow/3543527.cms. Retrieved on 2008-10-08.
- ^ Dan Goodin (2008-10-07). "Net game turns PC into undercover surveillance zombie". The Register. http://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/. Retrieved on 2008-10-08.
- ^ Fredrick Lane (2008-10-08). "Web Surfers Face Dangerous New Threat: 'Clickjacking'". newsfactor.com. http://news.yahoo.com/s/nf/20081008/bs_nf/62355. Retrieved on 2008-10-08.
- ^ Sumner Lemon (2008-09-30). "Business Center: Clickjacking Vulnerability to Be Revealed Next Month". http://www.pcworld.com/businesscenter/article/151677/clickjacking_vulnerability_to_be_revealed_next_month.html. Retrieved on 2008-10-08.
- ^ Giorgio Maone (2008-10-08). "Hello ClearClick, Goodbye Clickjacking". hackademix.net. http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/. Retrieved on 2008-10-27.
- ^ a b c Michal Zalevski (2008-12-10). "Browser Security Handbook, Part 2, UI Redressing". Google Inc.. http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing). Retrieved on 2008-10-27.
- ^ a b Giorgio Maone (2008-10-27). "Hey IE8, I Can Has Some Clickjacking Protection". hackademix.net. http://hackademix.net/2009/01/27/ehy-ie8-i-can-has-some-clickjacking-protection/. Retrieved on 2008-10-27.
- ^ Mary Jo Foley (2009-01-26). "Near-final IE 8 test build ready for download". http://blogs.zdnet.com/microsoft/?p=1846. Retrieved on 2009-01-26.
[edit] External links
- Original paper on Clickjacking
- Yahoo! News[3]
- ClickJacking Links collected by Steve Gibson of GRC.com
- Waterken article on ClickJacking and Capability-Based Security