What is clickjacking?
Clickjacking (also known as user-interface or UI redressing and IFRAME overlay) is an exploit in which malicious coding is hidden beneath apparently legitimate buttons or other clickable content on a website.
Here's one example, among many possible scenarios: A visitor to a site thinks he is clicking on a button to close a window; instead, the action of clicking the “X” button prompts the computer to download a Trojan horse, transfer money from a bank account or turn on the computer’s built-in microphone. The host website may be a legitimate site that's been hacked or a spoofed version of some well-known site. The attacker tricks users into visiting the site through links online or in email messages.
Researchers Jeremiah Grossman and Robert Hansen discovered the vulnerability. Here's how they describe the issue:
Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […] Say you have a home wireless router that you had authenticated prior to going to a web site. [The malicious coding] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.
The issue is said to result from an integral flaw in browser software and affects Internet Explorer (IE), Firefox, Safari and Opera. In fact, only non-GUI browsers, such as Lynx, are protected, simply because there is nothing in the interface that's clickable.
According to Hansen, there are multiple variants of clickjacking: "Some of it requires cross domain access, some doesn’t. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don’t.”
Facebook is a common venue for clickjacking. One example involves a status update: "OMG This GUY Went A Little To Far WITH His Revenge On His EX Girlfriend." Users who click the link are presented with a fake CAPTCHA, which actually links to the Facebook "Like" and "Share" buttons. When the user responds, the bogus status update posts to his Facebook page, along with a notice that he liked the video. On Facebook, most clickjacking exploits are conducted to collect user information and disseminate spam, although phishing attacks have been reported.
In his Security Corner blog, Ken Harthun advises: "For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option... I also recommend that everyone review US-CERT’s article 'Securing Your Web Browser' to insure maximum protection against this and other security risks."
Learn More About IT:
> Dennis Fisher explains about details emerging from clickjacking proof-of-concept.
> Hackademix explains how to protect yourself from clickjacking with NoScript.
> Robert Hansen provides details about clickjacking.
> See CERT's document, 'Securing Your Web Browser.'
> Here's Ken Harthun's post about clickjacking.
Tech TalkComment
Share
Comments
Results
Contribute to the conversation