Jump to content

Clickjacking

From Wikipedia, the free encyclopedia

In a clickjacking attack, the user is presented with a false interface, where their input is applied to something they cannot see

Clickjacking(classified as auser interface redress attackorUI redressing) is amalicious techniqueof tricking auserinto clicking on something different from what the user perceives, thus potentially revealingconfidentialinformation or allowing others to take control of their computer while clicking on seemingly innocuous objects, includingweb pages.[1][2][3][4][5]

Clickjacking is an instance of theconfused deputy problem,wherein a computer is tricked into misusing its authority.[6]

History[edit]

In 2002, it had been noted that it was possible to load a transparent layer over aweb pageand have the user's input affect the transparent layer without the user noticing. However, this was mainly ignored as a major issue until 2008.[7]

In 2008, Jeremiah Grossman and Robert Hansen (of SecTheory) had discovered thatAdobe Flash Playerwas able to be clickjacked, allowing anattackerto gain access to a user's computer without the user's knowledge.[7]Grossman and Hansen coined the term "clickjacking",[8][9]aportmanteauof the words "click" and "hijacking".[7]

As more attacks of a similar nature were discovered, the focus of the term "UI redressing" was changed to describe the category of these attacks, rather than just clickjacking itself.[7]

Description[edit]

One form of clickjacking takes advantage of vulnerabilities that are present in applications or web pages to allow the attacker to manipulate the user's computer for their own advantage.

For example, a clickjacked page tricks a user into performing undesired actions by clicking on concealed links. On a clickjacked page, the attackers load another page over the original page in a transparent layer to trick the user into taking actions, the outcomes of which will not be the same as the user expects. The unsuspecting users think that they are clicking visible buttons, while they are actually performing actions on the invisible page, clicking buttons of the page below the layer. The hidden page may be an authentication page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

Clickjacking categories[edit]

  • Classic:works mostly through aweb browser[7]
  • Likejacking:utilizesFacebook'ssocial media capabilities[10][11]
  • Nested:clickjacking tailored to affectGoogle+[12]
  • Cursorjacking:manipulates the cursor's appearance and location[7]
  • MouseJacking:inject keyboard or mouse input via remote RF link[13]
  • Browserless:does not use a browser[7]
  • Cookiejacking:acquires cookies from browsers[7][14]
  • Filejacking:capable of setting up the affected device as a file server[7][15][16]
  • Password manager attack:clickjacking that utilizes a vulnerability in the autofill capability of browsers[7]

Classic[edit]

Classic clickjacking refers to a situation when anattackeruses hidden layers onweb pagesto manipulate the actions a user's cursor does, resulting in misleading the user about what truly is being clicked on.[17]

A user might receive an email with a link to a video about a news item, but another webpage, say a product page onAmazon,can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon. The hacker can only send a single click, so they rely on the fact that the visitor is both logged intoAmazonand has 1-click ordering enabled.

While technical implementation of these attacks may be challenging due to cross-browser incompatibilities, a number of tools such as BeEF orMetasploit Projectoffer almost fully automated exploitation of clients on vulnerable websites. Clickjacking may be facilitated by – or may facilitate – other web attacks, such asXSS.[18][19]

Likejacking[edit]

Likejacking is amalicious techniqueof tricking users viewing a website into "liking"aFacebookpage or othersocial mediaposts/accounts that they did not intentionally mean to "like".[20]The term "likejacking" came from a comment posted by Corey Ballou in the articleHow to "Like" Anything on the Web (Safely),[21]which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.[22]

According to an article inIEEE Spectrum,a solution to likejacking was developed at one of Facebook'shackathons.[23]A "Like"bookmarkletis available that avoids the possibility of likejacking present in theFacebook like button.[24]

Nested[edit]

Nested clickjacking, compared to classic clickjacking, works by embedding a malicious web frame between two frames of the original, harmlessweb page:that from the framed page and that which is displayed on the top window. This works due to a vulnerability in the HTTP headerX-Frame-Options,in which, when this element has the valueSAMEORIGIN,theweb browseronly checks the two aforementioned layers. The fact that additional frames can be added in between these two while remaining undetected means thatattackerscan use this for their benefit.

In the past, withGoogle+and the faulty version ofX-Frame-Options,attackerswere able to insert frames of their choice by using the vulnerability present inGoogle's Image Search engine.In between the image display frames, which were present in Google+ as well, these attacker-controlled frames were able to load and not be restricted, allowing for theattackersto mislead whomever came upon the image display page.[12]

Cursorjacking[edit]

CursorJacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at vulnerability.fr.[25]Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich did so by hiding the cursor.[26]

Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a CursorJacking vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox on Mac OS X systems (fixed in Firefox 30.0) which can lead to arbitrary code execution and webcam spying.[27]

A second CursorJacking vulnerability was again discovered by Jordi Chancel inMozilla FirefoxonMac OS Xsystems (fixed in Firefox 37.0) using once againFlash,HTMLandJavaScriptcode which can also lead to spying via a webcam and the execution of a malicious addon, allowing the execution of malware on the affected user's computer.[28]

MouseJack[edit]

Different from other clickjacking techniques that redress a UI, MouseJack is a wireless hardware-based UI vulnerability first reported by Marc Newlin of Bastille.net in 2016 which allows external keyboard input to be injected into vulnerable dongles.[29]Logitechsupplied firmware patches but other manufacturers failed to respond to this vulnerability.[30]

Browserless[edit]

In Browserless clickjacking,attackersutilize vulnerabilities in programs to replicate classic clickjacking in them, without being required to use the presence of a web browser.

This method of clickjacking is mainly prevalent among mobile devices, usually onAndroid devices,especially due to the way in whichtoast notificationswork. Becausetoast notificationshave a small delay in between the moment the notification is requested and the moment the notification actually displays on-screen,attackersare capable of using that gap to create a dummy button that lies hidden underneath the notification and can still be clicked on.[7]

CookieJacking[edit]

CookieJacking is a form of clickjacking in which cookies are stolen from the victim'sweb browsers.This is done by tricking the user into dragging an object which seemingly appears harmless but is in fact making the user select the entire content of the cookie being targeted. From there, the attacker can acquire the cookie and all of the data that it possesses.[14][clarification needed]

FileJacking[edit]

In fileJacking, attackers use the web browser's capability to navigate through the computer and access computer files in order to acquire personal data. It does so by tricking the user into establishing an active file server (through the file and folder selection window that browsers use). With this, attackers can now access and take files from their victims' computers.[15]

Password manager attack[edit]

A 2014 paper from researcher at theCarnegie Mellon Universityfound that while browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, somepassword managerswould insecurely fill in passwords for the http version of https-saved passwords. Most managers did not protect againstiFrame- andredirection-basedattacksand exposed additional passwords wherepassword synchronizationhad been used between multiple devices.[16]

Prevention[edit]

Client-side[edit]

NoScript[edit]

Protection against clickjacking (including likejacking) can be added toMozilla Firefoxdesktop and mobile[31]versions by installing theNoScriptadd-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets.[32]According to Google's "Browser Security Handbook" from 2008, NoScript's ClearClick is a "freely available product that offers a reasonable degree of protection" against Clickjacking.[33]Protection from the newer cursorjacking attack was added to NoScript 2.2.8 RC1.[26]

NoClickjack[edit]

The "NoClickjack" web browser add-on (browser extension) adds client-side clickjack protection for users ofGoogle Chrome,Mozilla Firefox,OperaandMicrosoft Edgewithout interfering with the operation of legitimate iFrames. NoClickjack is based on technology developed for GuardedID. The NoClickjack add-on is free of charge.

GuardedID[edit]

GuardedID (a commercial product) includes client-side clickjack protection for users of Internet Explorer without interfering with the operation of legitimate iFrames.[34]GuardedID clickjack protection forces all frames to become visible. GuardedID teams[clarification needed]with the add-on NoClickjack to add protection forGoogle Chrome,Mozilla Firefox,OperaandMicrosoft Edge.

Gazelle[edit]

Gazelleis aMicrosoft Researchproject secure web browser based on IE, that uses anOS-like security model and has its own limited defenses against clickjacking.[35]In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

Intersection Observer v2[edit]

The Intersection Observer v2 API[36]introduces the concept of tracking the actual "visibility" of a target element as a human being would define it.[37]This allows a framed widget to detect when it's being covered. The feature is enabled by default sinceGoogle Chrome74, released in April 2019.[38]The API is also implemented by otherChromium-basedbrowsers, such as Microsoft Edge and Opera.

Server-side[edit]

Framekiller[edit]

Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including aframekillerJavaScript snippet in those pages they do not want to be included inside frames from different sources.[33]

Such JavaScript-based protection is not always reliable. This is especially true on Internet Explorer,[33]where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an<IFRAMESECURITY=restricted>element.[39]

X-Frame-Options[edit]

Introduced in 2009 inInternet Explorer8 was a new HTTP headerX-Frame-Optionswhich offered a partial protection against clickjacking[40][41]and was adopted by other browsers (Safari,[42]Firefox,[43]Chrome,[44]andOpera[45]) shortly afterwards. The header, when set by website owner, declares its preferred framing policy: values ofDENY,ALLOW-FROMorigin,orSAMEORIGINwill prevent any framing, framing by external sites, or allow framing only by the specified site, respectively. In addition to that, some advertising sites return a non-standardALLOWALLvalue with the intention to allow framing their content on any page (equivalent of not setting X-Frame-Options at all).

In 2013 the X-Frame-Options header has been officially published as RFC 7034,[46]but is not an Internet standard. The document is provided for informational purposes only. The W3C's Content Security Policy Level 2 Recommendation provides an alternative security directive, frame-ancestors, which is intended to obsolete the X-Frame-Options header.[47]

A security header like X-Frame-Options will not protect users against clickjacking attacks that are not using a frame.[48]

Content Security Policy[edit]

Theframe-ancestorsdirective ofContent Security Policy(introduced in version 1.1) canallowor disallow embedding of content by potentially hostile pages using iframe, object, etc. This directive obsoletes the X-Frame-Options directive. If a page is served with both headers, the frame-ancestors policy should be preferred by the browser.[49]—although some popular browsers disobey this requirement.[50]

Example frame-ancestors policies: 

# Disallow embedding. All iframes etc. will be blank, or contain a browser specific error page.
Content-Security-Policy: frame-ancestors 'none'

# Allow embedding ofown contentonly.
Content-Security-Policy: frame-ancestors 'self'

# Allow specific origins to embed this content
Content-Security-Policy: frame-ancestors www.example.com www.wikipedia.org

See also[edit]

References[edit]

  1. ^Robert McMillan (17 September 2008)."At Adobe's request, hackers nix 'clickjacking' talk".PC World. Archived fromthe originalon 17 July 2015.Retrieved8 October2008.
  2. ^Megha Dhawan (29 September 2008)."Beware, clickjackers on the prowl".The Times of India.Archived fromthe originalon 24 July 2009.Retrieved8 October2008.
  3. ^Dan Goodin (7 October 2008)."Net game turns PC into undercover surveillance zombie".The Register.Retrieved8 October2008.
  4. ^Fredrick Lane (8 October 2008)."Web Surfers Face Dangerous New Threat: 'Clickjacking'".newsfactor.com. Archived fromthe originalon 13 October 2008.Retrieved8 October2008.
  5. ^Shahriar, Hossain; Devendran, Vamshee Krishna (4 July 2014)."Classification of Clickjacking Attacks and Detection Techniques".Information Security Journal: A Global Perspective.23(4–6): 137–147.doi:10.1080/19393555.2014.931489.ISSN1939-3555.S2CID43912852.
  6. ^The Confused Deputy rides again!,Tyler Close, October 2008
  7. ^abcdefghijkNiemietz, Marcus (2012)."UI Redressing Attacks on Android Devices"(PDF).Black Hat.
  8. ^You don't know (click)jackRobert Lemos, October 2008
  9. ^JAstine, Berry."Facebook Help Number 1-888-996-3777".Retrieved7 June2016.
  10. ^"Viral clickjacking 'Like' worm hits Facebook users".Naked Security.31 May 2010.Retrieved23 October2018.
  11. ^"Facebook Worm –" Likejacking "".Naked Security.31 May 2010.Retrieved23 October2018.
  12. ^abLekies, Sebastian (2012)."On the fragility and limitations of current Browser-provided Clickjacking protection schemes"(PDF).USENIX.
  13. ^"Wireless Mouse Hacks & Network Security Protection".MOUSEJACK.Retrieved3 January2020.
  14. ^abValotta, Rosario (2011)."Cookiejacking".tentacoloViola – sites.google.com.Archived fromthe originalon 7 August 2019.Retrieved23 October2018.
  15. ^ab"Filejacking: How to make a file server from your browser (with HTML5 of course)".blog.kotowicz.net.Retrieved23 October2018.
  16. ^ab"Password Managers: Attacks and Defenses"(PDF).Retrieved26 July2015.
  17. ^Sahani, Rishabh; Randhawa, Sukhchandan (1 December 2021)."Clickjacking: Beware of Clicking".Wireless Personal Communications.121(4): 2845–2855.doi:10.1007/s11277-021-08852-y.ISSN0929-6212.S2CID239691334.
  18. ^"The Clickjacking meets XSS: a state of art".Exploit DB. 26 December 2008.Retrieved31 March2015.
  19. ^Krzysztof Kotowicz."Exploiting the unexploitable XSS with clickjacking".Retrieved31 March2015.
  20. ^Cohen, Richard (31 May 2010)."Facebook Work –" Likejacking "".Sophos.Archived fromthe originalon 4 June 2010.Retrieved5 June2010.
  21. ^Ballou, Corey (2 June 2010).""Likejacking" Term Catches On ".jqueryin.com. Archived fromthe originalon 5 June 2010.Retrieved8 June2010.
  22. ^Perez, Sarah (2 June 2010).""Likejacking" Takes Off on Facebook ".ReadWriteWeb. Archived fromthe originalon 16 August 2011.Retrieved5 June2010.
  23. ^Kushner, David (June 2011)."Facebook Philosophy: Move Fast and Break Things".spectrum.ieee.org.Retrieved15 July2011.
  24. ^Perez, Sarah (23 April 2010)."How to" Like "Anything on the Web (Safely)".ReadWriteWeb.Retrieved24 August2011.
  25. ^Podlipensky, Paul."Cursor Spoofing and Cursorjacking".Podlipensky.com.Paul Podlipensky. Archived fromthe originalon 22 November 2017.Retrieved22 November2017.
  26. ^abKrzysztof Kotowicz (18 January 2012)."Cursorjacking Again".Retrieved31 January2012.
  27. ^"Mozilla Foundation Security Advisory 2014-50".Mozilla.Retrieved17 August2014.
  28. ^"Mozilla Foundation Security Advisory 2015-35".Mozilla.Retrieved25 October2015.
  29. ^"What is MouseJack!".Bastille.Retrieved3 January2020.
  30. ^"CERT VU#981271 Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol".kb.cert.org.Retrieved3 January2020.
  31. ^Giorgio Maone (24 June 2011)."NoScript Anywhere".hackademix.net.Retrieved30 June2011.
  32. ^Giorgio Maone (8 October 2008)."Hello ClearClick, Goodbye Clickjacking".hackademix.net.Retrieved27 October2008.
  33. ^abcMichal Zalevski (10 December 2008)."Browser Security Handbook, Part 2, UI Redressing".Google Inc.Retrieved27 October2008.
  34. ^Robert Hansen (4 February 2009)."Clickjacking and GuardedID ha.ckers.org web application security lab".Archived fromthe originalon 11 July 2012.Retrieved30 November2011.
  35. ^Wang, Helen J.;Grier, Chris; Moschchuk, Alexander; King, Samuel T.; Choudhury, Piali; Venter, Herman (August 2009)."The Multi-Principal OS Construction of the Gazelle Web Browser"(PDF).18th Usenix Security Symposium, Montreal, Canada.Retrieved26 January2010.
  36. ^"Intersection Observer – W3C Editor's Draft".
  37. ^"Trust is Good, Observation is Better".
  38. ^"De-anonymization via Clickjacking in 2019".
  39. ^Giorgio Maone (27 October 2008)."Hey IE8, I Can Has Some Clickjacking Protection".hackademix.net.Retrieved27 October2008.
  40. ^Eric Lawrence (27 January 2009)."IE8 Security Part VII: ClickJacking Defenses".Retrieved30 December2010.
  41. ^Eric Lawrence (30 March 2010)."Combating ClickJacking With X-Frame-Options".Retrieved30 December2010.
  42. ^Ryan Naraine (8 June 2009)."Apple Safari jumbo patch: 50+ vulnerabilities fixed".Archived fromthe originalon 12 June 2009.Retrieved10 June2009.
  43. ^https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_headerArchived7 October 2010 at theWayback MachineThe X-Frame-Options response header — MDC
  44. ^Adam Barth (26 January 2010)."Security in Depth: New Security Features".Retrieved26 January2010.
  45. ^"Web specifications support in Opera Presto 2.6".12 October 2010. Archived fromthe originalon 14 January 2012.Retrieved22 January2012.
  46. ^"HTTP Header Field X-Frame-Options".IETF. 2013.
  47. ^"Content Security Policy Level 2".W3C. 2016.
  48. ^"lcamtuf's blog: X-Frame-Options, or solving the wrong problem".10 December 2011.
  49. ^"Content Security Policy Level 2".w3.org.2 July 2014.Retrieved29 January2015.
  50. ^"Clickjacking Defense Cheat Sheet".Retrieved15 January2016.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Clickjacking&oldid=1227193298"