Jeremiah Grossman, chief technology officer of Whitehat Security, and another researcher coined the term clickjacking.
(Credit: Whitehat Security)What if you reached to grab a newspaper out of a news stand and you found a rock in your hand instead? How about opening the front door to a grocery store and ending up on a boat?
This sounds like a Matrix movie, but the virtual equivalent of this is real and poses one of the most serious new risks on the Internet, according to Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security.
"Most exploits (like worms and attacks that take advantage of holes in software) can be patched, but clickjacking is a design flaw in the way the Web is supposed to work," Grossman said. "The bad guy is superimposing an invisible button over something the user wants to click on...It can be any button on any Web page on any Web site."
The technique was used in a series of prank attacks launched on Twitter in February. In that case, users clicked on links next to tweets that said "Don't Click" and then clicked on a button that said "Don't Click" on a separate Web page. That second click distributed the original tweet to all of the Twitter user's followers, thus propagating itself rather quickly.
At the time, Grossman called it a "harmless experiment," but the potential for harm by an attacker who isn't just having fun is huge.
In a demo at CNET offices on Thursday, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it. (Grossman also appeared on CNET Live to talk about clickjacking.)
Like the name suggests, clickjacking is the hijacking of your click, unbeknownst to you. A victim may not even know that the click has been redirected, which means there could be clickjacking attacks going on that no one knows about yet.
Clickjacking attacks are accomplished by creating something called an iFrame that allows a browser window to be split into segments so that different items can be shown on each. This code is inserted into the target Web page and is invisible to the end user. When the end user's cursor clicks on the section of the page where the malicious iFrame is hiding, the attack is launched to do whatever the attacker desires.
An attacker could hide an iFrame under any innocent link on any Web page--a headline on The New York Times or a "digg this" button on Digg, for instance--and when the victim clicks on the link, the cursor is actually clicking on the hidden iFrame.
In the Web cam demo, the iFrame created contains a Flash pop-up window that asks the user to grant permission to have the Web cam turned on. When the victim clicks the link, the Web cam is turned on and secretly begins recording everything the user does in front of the computer.
One of the scariest things about clickjacking is the potential for abuse. An attacker could spy on you by turning on your Web cam or microphone, direct you to a Web page with malicious content that is downloaded onto your computer, or even rig it up so you end up clicking "buy" instead of "cancel" on an e-commerce site.
Another thing that makes clickjacking so serious is that there really is very little that end users can do to protect themselves, Grossman said.
In the Web cam scenario, the best defense is probably to put a post-it note or other item over the Web cam lens and to disable the microphone in the software, he said. Flash Player 10 provides some protection by preventing anything from obscuring the security permissions dialogue box, he said.
In clickjacking an attacker hides a button or action underneath a section of any Web page so that when a visitor clicks a link on that section the click is hijacked by the malicious code to do whatever the attacker wants, completely invisible to the visitor.
(Credit: Jeremiah Grossman)Web site owners optimizing their sites for Internet Explorer 8 have the ability to prevent pages from being framed in, which means visitors to their site will be safe, only on that site and only if they are using IE8, Grossman said.
People using Windows and IE should disable JavaScript to help protect against clickjacking, he said. Firefox is safer; the NoScript add-on for Firefox not only lets people selectively block scripts, but it has a ClearClick feature designed specifically to protect against clickjacking, he added.
People should also log out of Web sites, like Facebook and Twitter, when they are done using them for the time being. "You can't be forced to do something on the site if you are not logged in," Grossman said.
More details are in a white paper on the technique, written by Grossman and Robert Hansen of SecTheory and published in September 2008. Grossman and Hansen coined the term in that document.
The authors canceled their talk on the subject at the OWASP (Open Web Application Security Project) conference that month at Adobe's request because their proof of concept revealed a bug in Adobe's software, according to IDG News Service.
This is the malicious tweet that links people to a dubious Web site, Trend Micro says.
(Credit: Trend Micro)Twitter users looking for a little entertainment on a boring Friday may want to go elsewhere to get their fix.
A new attack was hijacking Twitter users Friday, with at least 700 accounts being compromised in two hours beginning at about 11 a.m. PST (7 p.m. GMT), security researcher Rik Ferguson wrote on the Trend Micro blog.
Victims are clicking on a link in a tweet that lures them with the promise of chatting with a 23-year-old woman on a Webcam.
"It appears that there is a rash of Twitter account hijacking going on this evening," Ferguson wrote.
"Obviously we recommend against clicking on this link, it leads to a porn Webcam portal which looks to have been designed with credit card harvesting in mind," he wrote. "Affected users should change their password to a secure one as soon as possible."
Twitter co-founder Biz Stone confirmed the attack and said the company had reset the passwords of the compromised accounts and removed the "spammy updates." "Today we discovered about 750 Twitter accounts were broken into and had a link to a webcam site posted on the accounts," he wrote on his blog. It appears other sites and services have been affected by a similar attack.
Stone urged people to use strong passwords for their Twitter accounts and not to share passwords with anyone.
Twitter fended off a series of clickjacking attempts last month in which users were tricked into sending out spam tweets.
. Updated 4:25 p.m. PST with Twitter comment.
Twitter fended off a second clickjacking attack on Thursday night as the popular microblogging site plays cat-and-mouse with a prankster, the site confirmed on Friday.
"Yes, there was a second approach later in the day, same story as the first but with a slightly modified technique," Twitter co-founder Biz Stone wrote in an e-mail. "We took care of that too. Every day we're finding ways to improve the system."
(Credit:
CNET Networks)
"It's a convoluted cat-and-mouse game," Jeremiah Grossman, chief technology officer of WhiteHat Security, said earlier on Friday. "At least for the moment, Twitter is winning."
Twitter users first noticed the clickjacking prank on Thursday and later that day Twitter had shut it down. Tweets were popping up that said "Don't Click" followed by a link. Clicking the link took the user to a page that included a button that said "Don't Click." Clicking the button automatically distributed the identical tweet. As you can imagine, this spread pretty quickly.
Later on Thursday, the tweets started appearing again after someone figured out a way around Twitter's fix, said Grossman.
Basically, the clickjacking page with the "Don't Click" button on it has an invisible frame with a Twitter status update button superimposed over it, he said. Twitter's original fix wiped a page clean if it detected a frame on its pages, but then someone circumvented that and Twitter was forced to come up with another fix, according to Grossman.
The clickjacking is likely a harmless experiment, but it could be used for malicious purposes in the future, Grossman said.
Firefox users can download a no-script extension to protect against clickjacking but current versions of Internet Explorer do not offer protection, although IE 8 will, he said.
Security researchers have discovered a flaw affecting Google's Chrome browser that exposes it to "clickjacking"--in which an attacker hijacks a browser's functions by substituting a legitimate link with one of the attacker's choice.
Google has acknowledged the flaw and is working toward a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya Sood.
Sood disclosed the flaw on Tuesday and has since posted a proof of concept on the Bugtraq vulnerability disclosure forum.
"Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page," Sood said within the disclosure.
While Google is working on a fix, a representative for the Australian arm of the company pointed out that clickjacking can affect all browsers, not just Chrome.
"The (clickjacking) issue is tied to the way the Web and Web pages were designed to work, and there is no simple fix for any particular browser. We are working with other stakeholders to come up with a standardized long-term mitigation approach," they said.
However, Nishad Herath, an independent security researcher and CEO of Australian security consultancy Novologica, told ZDNet.com.au that after running Sood's proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.
Google's security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google's representative.
Clickjacking is a relatively new browser attack that security researchers Robert Hansen and Jeremiah Grossman gave a talk on it late last year at the Open Web Application Security Project security conference in New York. Such an attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim's browser to send an HTTP request to a Web site of their choosing.
"Clickjacking means that any interaction you have with a Web site you're on, for example like clicking on a link, may not do what you expect it to do," explained Herath.
"You may click on a link that looks like it's pointing to a picture on Flickr, but in reality, it might first direct you to a drive-by-download server that serves malware. These types of attacks can be used to make you interact with Web services you're already logged onto in ways that you would never want to, without you even knowing that it has happened."
Liam Tung reports for ZDNet Australia from Sydney.
Adobe Systems has addressed a security flaw in its Flash Player products that could lead to 'clickjacking' attacks.
Flash Player 10, released on Wednesday, includes a fix for the clickjacking vulnerability published by researchers Jeremiah Grossman and Robert Hansen earlier this month.
Clickjacking attacks take advantage of vulnerabilities in Adobe Flash Player 9.0.124.0 and earlier, as well as vulnerabilities in browsers such as Internet Explorer, Opera, Firefox, and Safari. Exploitation of the flaws could allow an attacker to disguise Web site elements, such as dialog boxes and links, so that the user is fooled into visiting malicious Web sites.
"Flash Player 10 addresses Flash Player-specific aspects of the overall clickjacking issue," Adobe product security program manager David Lenoe wrote in a blog post Wednesday.
The Flash Player 10 update also helps prevent a clickjacking attack on a user's Webcam and microphone, according to an Adobe security advisory. This variant of the attack could allow eavesdropping.
The update contains four more security fixes, including a mitigation against clipboard attacks and a fix for a port-scanning issue. For customers who cannot upgrade to Flash Player 10, a Flash Player 9 update is currently scheduled for early November, according to the advisory.
On Wednesday, Adobe also published a security advisory for Flash Creative Suite 3 Professional, warning of a potential flaw that allows an attack using malformed SWF files. Flash Creative Suite 4, released on Wednesday, and Flash Player products, are not affected by this issue.
Tom Espiner of ZDNet UK reported from London.
On Tuesday, Adobe issued a workaround for a serious issue that could allow attackers to change the security settings within Flash.
Termed "clickjacking," the process gives "an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," wrote WhiteHat Security CTO Jeremiah Grossman in a blog posting last month. He went on to say that while "guarding against Clickjacking was largely the browser vendors' responsibility," both he and Robert Hansen agreed to withhold further information and even canceled their talk recently at OWASP NYC AppSec 2008 Conference at the request of Adobe. In return, Adobe thanked the researchers.
In brief, the attack involves embedded objects on a maliciously crafted Web page. Using framed content or that from Flash, Silverlight, or Java, the attacker places a transparent or invisible click button beneath the mouse so that whenever the user clicks on something they see on the page (to see more search results on Google, for example) the user is also clicking to a unseen Web site that may contain malicious code. The attack can also take advantage of dynamic HTML and CSS (Cascading Style Sheets) codes to further disguise itself.
In a blog, Guy Aharonovsky describes a process using clickjacking where Flash security settings can be changed to allow an attacker access to a PC's Webcam or microphone. This, he says, could create remote eavesdropping possibilities.
Although the demonstration page created by Aharonovsky has been disabled, his video demonstration shows a rigged click button as it randomly moves around the page. In reality, the click button under the mouse would be transparent or invisible to the user. In the background Aharonovsky shows the attack modifying the Flash privacy settings. Aharonovsky says "bear in mind that every Flash, Java, Silverlight, DHTML game or application can be used to achieve the same thing."
The flaws--there may be a half dozen or so specific vulnerabilities related to this--affect users of Internet Explorer, Firefox, Opera, Apple Safari, and Google Chrome. Turning JavaScript off within the browser won't work. The attack doesn't rely on JavaScript. Grossman commented: "Clickjacking is a well-known issue, but severely underappreciated and largely undefended."
Adobe advises users of Flash to set Adobe Flash Player Settings Manager to "always deny." This means that users will not be asked to allow or deny camera and or microphone access after changing this setting. Adobe says a Flash Player update addressing the issue will be available before the end of the month.
Users of Firefox should in the meantime consider use of the NoScript plug-in and set it to forbid iframe content. More details on configuring NoScript to block this attack can be found here
Additional US-CERT tips for securing other browsers can be found here.
To the short list of life's certainties--death and taxes--we can now add "Web threats."
Early indications are that there will be no quick fix for clickjacking, which enables a PC to be infected with malicious software simply by clicking a disguised link on a Web page. All browsers are equally vulnerable, and there appears to be no sure solution, at least in the short term. Even disabling JavaScript and other advanced Web features won't prevent an infection.
Does this mean you should cancel your broadband account and dig out the ham radio? I don't recommend it. In fact, reports such as these show the folly of believing that our Web browsing is ever completely safe. No hardware or software will ever be 100 percent secure.
Yes, keep your antivirus definitions up-to-date. Yes, use a firewall. Download and install Giorgio Maone's NoScript extension for Firefox (donation requested) to gain site-by-site control over the scripts that run in the browser.
But even these precautions are no substitute for common sense. Be careful about the sites you visit and the links you click. View your e-mail as plain text; Microsoft's support site provides instructions for doing so in Outlook 2003 and 2007. In Mozilla Thunderbird, simply click View, Message Body As, Plain Text.
Last, but definitely not least, every PC user must acknowledge that the day will dawn when their system crashes for good--whether due to a malware attack or (more likely) a hardware or software failure. Keep your data backed up. In addition to creating an image backup of your hard drive once or twice a year, using a program such as Acronis' $50 True Image Home (15-day free trial), use an online backup service to keep your important data files fresh.
- prev
- 1
- next
