Clickjacking: Hijacking clicks on the Internet

Jeremiah Grossman, chief technology officer of Whitehat Security, and another researcher coined the term clickjacking.

(Credit: Whitehat Security)

What if you reached to grab a newspaper out of a news stand and you found a rock in your hand instead? How about opening the front door to a grocery store and ending up on a boat?

This sounds like a Matrix movie, but the virtual equivalent of this is real and poses one of the most serious new risks on the Internet, according to Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security.

"Most exploits (like worms and attacks that take advantage of holes in software) can be patched, but clickjacking is a design flaw in the way the Web is supposed to work," Grossman said. "The bad guy is superimposing an invisible button over something the user wants to click on...It can be any button on any Web page on any Web site."

The technique was used in a series of prank attacks launched on Twitter in February. In that case, users clicked on links next to tweets that said "Don't Click" and then clicked on a button that said "Don't Click" on a separate Web page. That second click distributed the original tweet to all of the Twitter user's followers, thus propagating itself rather quickly.

At the time, Grossman called it a "harmless experiment," but the potential for harm by an attacker who isn't just having fun is huge.

In a demo at CNET offices on Thursday, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it. (Grossman also appeared on CNET Live to talk about clickjacking.)

Like the name suggests, clickjacking is the hijacking of your click, unbeknownst to you. A victim may not even know that the click has been redirected, which means there could be clickjacking attacks going on that no one knows about yet.

Clickjacking attacks are accomplished by creating something called an iFrame that allows a browser window to be split into segments so that different items can be shown on each. This code is inserted into the target Web page and is invisible to the end user. When the end user's cursor clicks on the section of the page where the malicious iFrame is hiding, the attack is launched to do whatever the attacker desires.

An attacker could hide an iFrame under any innocent link on any Web page--a headline on The New York Times or a "digg this" button on Digg, for instance--and when the victim clicks on the link, the cursor is actually clicking on the hidden iFrame.

In the Web cam demo, the iFrame created contains a Flash pop-up window that asks the user to grant permission to have the Web cam turned on. When the victim clicks the link, the Web cam is turned on and secretly begins recording everything the user does in front of the computer.

One of the scariest things about clickjacking is the potential for abuse. An attacker could spy on you by turning on your Web cam or microphone, direct you to a Web page with malicious content that is downloaded onto your computer, or even rig it up so you end up clicking "buy" instead of "cancel" on an e-commerce site.

Another thing that makes clickjacking so serious is that there really is very little that end users can do to protect themselves, Grossman said.

In the Web cam scenario, the best defense is probably to put a post-it note or other item over the Web cam lens and to disable the microphone in the software, he said. Flash Player 10 provides some protection by preventing anything from obscuring the security permissions dialogue box, he said.

In clickjacking an attacker hides a button or action underneath a section of any Web page so that when a visitor clicks a link on that section the click is hijacked by the malicious code to do whatever the attacker wants, completely invisible to the visitor.

(Credit: Jeremiah Grossman)

Web site owners optimizing their sites for Internet Explorer 8 have the ability to prevent pages from being framed in, which means visitors to their site will be safe, only on that site and only if they are using IE8, Grossman said.

People using Windows and IE should disable JavaScript to help protect against clickjacking, he said. Firefox is safer; the NoScript add-on for Firefox not only lets people selectively block scripts, but it has a ClearClick feature designed specifically to protect against clickjacking, he added.

People should also log out of Web sites, like Facebook and Twitter, when they are done using them for the time being. "You can't be forced to do something on the site if you are not logged in," Grossman said.

More details are in a white paper on the technique, written by Grossman and Robert Hansen of SecTheory and published in September 2008. Grossman and Hansen coined the term in that document.

The authors canceled their talk on the subject at the OWASP (Open Web Application Security Project) conference that month at Adobe's request because their proof of concept revealed a bug in Adobe's software, according to IDG News Service.

[42istheanswer]

Don't Click this! Psych

[Random_Walk]

...seriously? This is not new. We're talking 10-year-old tech in some cases...

[inachu1]

I would like to get rid of hidden clicks. Microsoft years ago stated an update to internet explorer on a very old version of windows update must have this click to make seemless click throughs without the end user really clicking on anything.

But here you see I hate that and makes me livid! I did not click a darn thing on some website but I just sit there doing nothing then I hear a click sound.

I call that "MOUSE CLICK IMPERSONATION" and that should be illegal!

What this means is that if some local joe on his pc late at night sees some adult material and he just faps to that page then evil porn advertisers force a click to an illegal under age website then this local joe is responsible for pedophilia on his computer and he did nothing but visit a soft porn website.

So you can hear it on windowsupdate and on other sites and just just from microsoft and porn sites.

This really makes me sick and one day I was not even on a porn site but just some rated G chat room talkign about pc hard ware and while I type with 5 minutes I heard over 42 clicks!

ENOUGH ALREADY! Oh and yes my pc was clean and virus,trojan,spyware,malware free.

I am sick sick sick sick sick of this.

[BtmnHatesRbn]

Then get real with yourself, drop Micro$oft and go with Apple or Linux. Otherwise, don't complain.

[basraw]

"I would like to get rid of hidden clicks. Microsoft years ago stated an update to internet explorer on a very old version of windows update must have this click to make seemless click throughs without the end user really clicking on anything. "

NoScript addon with Firefox alerts you to ClickJacking.

[Michichael]

Old news is old.

[kieranmullen]

Old meme is old.

[MatthewFabb]

Adobe's John Dowdell comments on this story:
http://blogs.adobe.com/jd/2009/05/cnet_clickjacking_comment.html

[nowimcool]

thanks for linking that blog comment!! I hope Elinor updates us with specifics, other wise it seems this story is getting published after the issue has already been dealt with.

[jeremiahgrossman]

There is nothing ?new? attack wise with regards to clickjacking or flash videojacking -- nor does the article make such claims. The reason this issue remains relevant is despite the availability of Flash 10, clickjacking still represents a huge risk. Could we reasonably estimate that the number of Flash users not on v10 are in the millions if not tens of millions? Those are significant numbers and I believe they?d like to know that their webcam/mic could be enabled without their knowledge.

Furthermore the larger clickjacking issue in the browser security realm is brought to the forefront by the recent events that have transpired on Twitter. This is just a taste of what I and many others believe is yet to come. We failed to take XSS, CSRF, and SQL Injection seriously years back when we first knew about them and look where we are today. I?d prefer clickjacking not be ignored until something truly bad happens.

[play7]

IF you use a camera or Mic...........otehrwise its doesnt mean a thing. I never keep camera or mic plugged in all the time.......

[play7]

I dont understand why cnet showcasing this guy? As many said its a old breakin that old time users know about. Why grossman is trying to take credit for this in funny at the least. As someone said early look at the link someone posted above. Then you understand why this piece is just a waste of time.

[Voice_Of_Logic]

What part of Dont Click did these people not understand? These sort of acts need one main ingredient, in order to thrive: IDIOT USERS. Thus, I suspect this sort of thing will never go away.

[play7]

this crap is on cbsnews as well...........http://www.cbsnews.com/stories/2009/05/22/tech/cnettechnews/main5033555.shtml?tag=main_home_storiesBySection


omg is new source these days this bad!....

[leesbee]

Yes this is old news, If it looked you were going to spend money there was some site ready to highjack you to their site. And once they had you try as you mite you would never get to your intened site


BoBBy- B@ bolinousa@msn.com

[leesbee]

Can't use the truth/cnet


BoBBy-B @ bolinousa@msn.com

[t8]

The funny thing here is that Microsoft is the inventer of the iframe.
It almost seems like all vulnerabilities out there come from Microsoft.

[BtmnHatesRbn]

That's putting it together.

[Voice_Of_Logic]

And childbirth can be linked to eventual death. Using your logic, women are to blame for death? Go back to sleep.

[ofmyony]

Good information, Thanks to Whitehat and Cnet for keeping users as safe as possible. Even if its been a known vulnerability.

[jmanico]

I feel it is irresponsible to discuss security issues like clickjacking without a more complete discussion of the mitigation. If you are programming websites, you gain a great deal of risk reduction by adding "framebreaking" or "framebusting" code into your web pages. Fairly easy to do.

For a more complete discussion on this topic, check out http://www.owasp.org/index.php/Clickjacking

OWASP also offers FOSS Java-based filters to automatically afford this kind of protection for Java-based websites in the enterprise. See http://www.owasp.org/index.php/ClickjackFilter_for_Java_EE

[pwandmaker]

really? come on Elinor, this is journalism? c-net seems to read a definition on what journalism is. the quality of this site has descended into something far worse than mediocrity.

[BtmnHatesRbn]

Yeah. It's owned by CBS Viacom now!

[indnajns]

"People using Windows and IE should disable JavaScript "

This is a solution? You might as well disconnect your cable/modem line. Result would be just about the same. No one seems capable of programming a website without Javascript/ActiveX/Flash anymore. I set ActiveX to notify and most usually click NO and that gives me headaches enough. Turning off javascript would make browsing pretty much impossible. Do the people who suggest these inane things even try their own suggestions? Geesh.

(Haha. Count CNET as one of those that BREAKS when you don't allow Active X. The Comment Submit button doesn't work without it. Had to reload the page and allow Active X. I'm not even going to try it with Javascript turned off. Probably wouldn't be able to see the page at all.)

[BtmnHatesRbn]

How about saving some power and like before Windows 95 and Mac OS 8, turn the damned computers off for any period of time over an hour of non-use? And you'll even be "green" doing that.

[RavingEniac]

What is the vulnerability of non-Microsoft browsers and operating systems? If the problem doesn't exist for users of Mac OS and Linux, users of Firefox and Seamonkey and Opera, users of Windows 95 and Netscape Communicator, etc, the headline should probably be aimed at the Windows and IE versions that are vulnerable to clickjacking.

[AnthonyNYC]

He never said this was a browser specific or Operating system specific problem, he said any browser using CSS ( Cascading Style Sheets) is vulnerable, Mac and PC! Simple, just listen