Jeremiah Grossman, chief technology officer of Whitehat Security, and another researcher coined the term clickjacking.
(Credit: Whitehat Security)What if you reached to grab a newspaper out of a news stand and you found a rock in your hand instead? How about opening the front door to a grocery store and ending up on a boat?
This sounds like a Matrix movie, but the virtual equivalent of this is real and poses one of the most serious new risks on the Internet, according to Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security.
"Most exploits (like worms and attacks that take advantage of holes in software) can be patched, but clickjacking is a design flaw in the way the Web is supposed to work," Grossman said. "The bad guy is superimposing an invisible button over something the user wants to click on...It can be any button on any Web page on any Web site."
The technique was used in a series of prank attacks launched on Twitter in February. In that case, users clicked on links next to tweets that said "Don't Click" and then clicked on a button that said "Don't Click" on a separate Web page. That second click distributed the original tweet to all of the Twitter user's followers, thus propagating itself rather quickly.
At the time, Grossman called it a "harmless experiment," but the potential for harm by an attacker who isn't just having fun is huge.
In a demo at CNET offices on Thursday, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it. (Grossman also appeared on CNET Live to talk about clickjacking.)
Like the name suggests, clickjacking is the hijacking of your click, unbeknownst to you. A victim may not even know that the click has been redirected, which means there could be clickjacking attacks going on that no one knows about yet.
Clickjacking attacks are accomplished by creating something called an iFrame that allows a browser window to be split into segments so that different items can be shown on each. This code is inserted into the target Web page and is invisible to the end user. When the end user's cursor clicks on the section of the page where the malicious iFrame is hiding, the attack is launched to do whatever the attacker desires.
An attacker could hide an iFrame under any innocent link on any Web page--a headline on The New York Times or a "digg this" button on Digg, for instance--and when the victim clicks on the link, the cursor is actually clicking on the hidden iFrame.
In the Web cam demo, the iFrame created contains a Flash pop-up window that asks the user to grant permission to have the Web cam turned on. When the victim clicks the link, the Web cam is turned on and secretly begins recording everything the user does in front of the computer.
One of the scariest things about clickjacking is the potential for abuse. An attacker could spy on you by turning on your Web cam or microphone, direct you to a Web page with malicious content that is downloaded onto your computer, or even rig it up so you end up clicking "buy" instead of "cancel" on an e-commerce site.
Another thing that makes clickjacking so serious is that there really is very little that end users can do to protect themselves, Grossman said.
In the Web cam scenario, the best defense is probably to put a post-it note or other item over the Web cam lens and to disable the microphone in the software, he said. Flash Player 10 provides some protection by preventing anything from obscuring the security permissions dialogue box, he said.
In clickjacking an attacker hides a button or action underneath a section of any Web page so that when a visitor clicks a link on that section the click is hijacked by the malicious code to do whatever the attacker wants, completely invisible to the visitor.
(Credit: Jeremiah Grossman)Web site owners optimizing their sites for Internet Explorer 8 have the ability to prevent pages from being framed in, which means visitors to their site will be safe, only on that site and only if they are using IE8, Grossman said.
People using Windows and IE should disable JavaScript to help protect against clickjacking, he said. Firefox is safer; the NoScript add-on for Firefox not only lets people selectively block scripts, but it has a ClearClick feature designed specifically to protect against clickjacking, he added.
People should also log out of Web sites, like Facebook and Twitter, when they are done using them for the time being. "You can't be forced to do something on the site if you are not logged in," Grossman said.
More details are in a white paper on the technique, written by Grossman and Robert Hansen of SecTheory and published in September 2008. Grossman and Hansen coined the term in that document.
The authors canceled their talk on the subject at the OWASP (Open Web Application Security Project) conference that month at Adobe's request because their proof of concept revealed a bug in Adobe's software, according to IDG News Service.
On Tuesday, Adobe issued a workaround for a serious issue that could allow attackers to change the security settings within Flash.
Termed "clickjacking," the process gives "an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," wrote WhiteHat Security CTO Jeremiah Grossman in a blog posting last month. He went on to say that while "guarding against Clickjacking was largely the browser vendors' responsibility," both he and Robert Hansen agreed to withhold further information and even canceled their talk recently at OWASP NYC AppSec 2008 Conference at the request of Adobe. In return, Adobe thanked the researchers.
In brief, the attack involves embedded objects on a maliciously crafted Web page. Using framed content or that from Flash, Silverlight, or Java, the attacker places a transparent or invisible click button beneath the mouse so that whenever the user clicks on something they see on the page (to see more search results on Google, for example) the user is also clicking to a unseen Web site that may contain malicious code. The attack can also take advantage of dynamic HTML and CSS (Cascading Style Sheets) codes to further disguise itself.
In a blog, Guy Aharonovsky describes a process using clickjacking where Flash security settings can be changed to allow an attacker access to a PC's Webcam or microphone. This, he says, could create remote eavesdropping possibilities.
Although the demonstration page created by Aharonovsky has been disabled, his video demonstration shows a rigged click button as it randomly moves around the page. In reality, the click button under the mouse would be transparent or invisible to the user. In the background Aharonovsky shows the attack modifying the Flash privacy settings. Aharonovsky says "bear in mind that every Flash, Java, Silverlight, DHTML game or application can be used to achieve the same thing."
The flaws--there may be a half dozen or so specific vulnerabilities related to this--affect users of Internet Explorer, Firefox, Opera, Apple Safari, and Google Chrome. Turning JavaScript off within the browser won't work. The attack doesn't rely on JavaScript. Grossman commented: "Clickjacking is a well-known issue, but severely underappreciated and largely undefended."
Adobe advises users of Flash to set Adobe Flash Player Settings Manager to "always deny." This means that users will not be asked to allow or deny camera and or microphone access after changing this setting. Adobe says a Flash Player update addressing the issue will be available before the end of the month.
Users of Firefox should in the meantime consider use of the NoScript plug-in and set it to forbid iframe content. More details on configuring NoScript to block this attack can be found here
Additional US-CERT tips for securing other browsers can be found here.
- prev
- 1
- next
