Clickjacking

Clickjacking is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.^[1][2][3][4] A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.^[5]

The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.

Clickjacking can be understood as an instance of the confused deputy problem.^[6]

Description

Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, therefore the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

Examples

A user might receive an email with a link to a video about a news item, but another valid page, say a product page on amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.

Other known exploits include:

• tricking users into enabling their webcam and microphone through Flash (which has since been corrected by Adobe);
• tricking users into making their social networking profile information public;
• making users follow someone on Twitter;^[7]
• share links on Facebook^[8][9]

Prevention

Client-side

Ghostery

Ghostery is a privacy browser extension available for the 5 primary browsers that enables its users to easily detect and control tags, web bugs, pixels, and beacons that have the potential to collect data on their browsing habits. This way it can prevent clickjacking involving social networks like Facebook or Twitter by blocking their scripts on others web pages.

NoScript

Protection against clickjacking can be added to Mozilla Firefox desktop and mobile^[10] versions by installing the NoScript add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets.^[11] According to Google's "Browser Security Handbook", NoScript's ClearClick is "the only freely available product that offers a reasonable degree of protection" against Clickjacking.^[12]

Gazelle

Gazelle is a Microsoft Research project secure web browser based on IE, that uses an OS-like security model, and has its own limited defenses against clickjacking.^[13] In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

Server-side

Framekiller

Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources.^[12]

Such JavaScript-based protection, unfortunately, is not always reliable. This is especially true on Internet Explorer,^[12] where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an <IFRAME SECURITY=restricted> element.^[14]

Server-side needing client support

X-Frame-Options

On 26 January 2009 Microsoft released RC1 of Internet Explorer 8, which includes a new partial clickjacking prevention option. Web site developers will be able to add a tag in a page header to help detect and prevent frame-based UI redressing. IE 8, according to Microsoft, “will detect sites that insert the tag and give users a new error screen indicating that the content host has chosen not to allow their content to be framed, while giving users the option to open the content in a new window.” ^[15]

Microsoft's suggested solution,^[16] which has since also been implemented in Apple's Safari,^[17] Firefox,^[18] and Google's Chrome^[19] Web browsers, is to check for a new HTTP header, X-Frame-Options. This header can have two values, deny and sameorigin, which will block any framing or framing by external sites, respectively.

See also

• Hacker (computer security)
• Cross-site scripting
• Phishing
• Likejacking

Notes

References

1. ^ Robert McMillan (2008-09-17). "At Adobe's request, hackers nix 'clickjacking' talk". PC World. http://www.pcworld.idg.com.au/index.php/id;979405561. Retrieved 2008-10-08. 
2. ^ Megha Dhawan (2008-09-29). "Beware, clickjackers on the prowl". India Times. http://infotech.indiatimes.com/quickiearticleshow/3543527.cms. Retrieved 2008-10-08. 
3. ^ Dan Goodin (2008-10-07). "Net game turns PC into undercover surveillance zombie". The Register. http://www.theregister.co.uk/2008/10/07/clickjacking_surveillance_zombie/. Retrieved 2008-10-08. 
4. ^ Fredrick Lane (2008-10-08). "Web Surfers Face Dangerous New Threat: 'Clickjacking'". newsfactor.com. http://news.yahoo.com/s/nf/20081008/bs_nf/62355. Retrieved 2008-10-08. ^{[dead link]}
5. ^ Sumner Lemon (2008-09-30). "Business Center: Clickjacking Vulnerability to Be Revealed Next Month". http://www.pcworld.com/businesscenter/article/151677/clickjacking_vulnerability_to_be_revealed_next_month.html. Retrieved 2008-10-08. 
6. ^ The Confused Deputy rides again!, Tyler Close, October 2008
7. ^ Daniel Sandler (2009-02-12). "Twitter's "Don't Click" prank, explained (dsandler.org)". http://dsandler.org/outgoing/dontclick_orig.html. Retrieved 2009-12-28. 
8. ^ Krzysztof Kotowicz (2009-12-21). "New Facebook clickjacking attack in the wild". http://blog.kotowicz.net/2009/12/new-facebook-clickjagging-attack-in.html. Retrieved 2009-12-29. 
9. ^ BBC (2010-06-03). "Facebook "clickjacking" spreads across site". BBC News. http://news.bbc.co.uk/2/hi/technology/10224434.stm. Retrieved 2010-06-03. 
10. ^ Giorgio Maone (2011-06-24). "NoScript Anywhere". hackademix.net. http://noscript.net/nsa/. Retrieved 2011-06-30. 
11. ^ Giorgio Maone (2008-10-08). "Hello ClearClick, Goodbye Clickjacking". hackademix.net. http://hackademix.net/2008/10/08/hello-clearclick-goodbye-clickjacking/. Retrieved 2008-10-27. 
12. ^ ^{a b c} Michal Zalevski (2008-12-10). "Browser Security Handbook, Part 2, UI Redressing". Google Inc.. http://code.google.com/p/browsersec/wiki/Part2#Arbitrary_page_mashups_(UI_redressing). Retrieved 2008-10-27. 
13. ^ Wang, Helen J.; Grier, Chris; Moschchuk, Alexander; King, Samuel T.; Choudhury, Piali; Venter, Herman (August, 2009). "The Multi-Principal OS Construction of the Gazelle Web Browser". 18th Usenix Security Symposium, Montreal, Canada. http://research.microsoft.com/en-us/um/people/helenw/papers/gazelleSecurity09.pdf. Retrieved 2010-01-26. 
14. ^ Giorgio Maone (2008-10-27). "Hey IE8, I Can Has Some Clickjacking Protection". hackademix.net. http://hackademix.net/2009/01/27/ehy-ie8-i-can-has-some-clickjacking-protection/. Retrieved 2008-10-27. 
15. ^ Mary Jo Foley (2009-01-26). "Near-final IE 8 test build ready for download". http://blogs.zdnet.com/microsoft/?p=1846. Retrieved 2009-01-26. 
16. ^ Eric Lawrence (2009-01-27). "IE8 Security Part VII: ClickJacking Defenses". http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx. Retrieved 2009-06-10. 
17. ^ Ryan Naraine (2009-06-08). "Apple Safari jumbo patch: 50+ vulnerabilities fixed". http://blogs.zdnet.com/security/?p=3541. Retrieved 2009-06-10. 
18. ^ https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header The X-Frame-Options response header — MDC
19. ^ Adam Barth (2010-01-26). "Security in Depth: New Security Features". http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html. Retrieved 2010-01-26. 

External links

• Original paper on clickjacking
• clickjacking links collected by Steve Gibson of GRC.com
• Waterken article on clickjacking and capability-based security
• OWASP clickjacking
• UI Redressing: Attacks and Countermeasures Revisited
• New Insights into Clickjacking @ Owasp AppSec Research 2010
• Clickjacking attack on Flash Player,20 Oct 2011