Jump to content

Clickjacking

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 82.176.175.208 (talk) at 14:54, 31 July 2009 (Frame busting code doesn't work, see also: http://www.codinghorror.com/blog/archives/001277.html). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Clickjacking[1][2][3] is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.[4] A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.[5]

Clickjacking (a term coined by Jeremiah Grossman and Robert Hansen in 2008) can be understood as an instance of the Confused deputy problem [1].

Example

Clickjacking, also known as UI Redressing, is possible not because of a software bug, but because seemingly harmless features of web pages can perform unexpected actions.

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

For example, a user might play a game in which they have to click on some buttons, but another authentic page like a web mail site from a popular service is loaded in a hidden iframe on top of the game. The iframe will load only if the user has saved the password for its respective site. The buttons in the game are placed such that their positions coincide exactly with the select all mail button and then the delete mail button. The consequence is that the user unknowingly deleted all the mail in their folder while playing a simple game. Other known exploits have been tricking users to enable their webcam and microphone through flash (which has since been corrected by Adobe), tricking users to make their social networking profile information public, making users follow someone on Twitter, etc.[citation needed]

Prevention

Mozilla Firefox has no native protection against Clickjacking. Protection against clickjacking can be added by installing the NoScript add-on: its ClearClick[2] feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all the types of Clickjacking (i.e. frame-based and plugin-based).[6]

Web site owners can protect their users against UI Redressing (frame based Clickjacking) on the server side by including a Framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources.[7]

Such JavaScript-based protection, unfortunately, is not always reliable. This is especially true on Internet Explorer[7], where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an <IFRAME SECURITY=restricted> element.[8]

On 26 January 2009 Microsoft released RC1 of Internet Explorer 8, which includes a new partial ClickJacking prevention option. Web site developers will be able to add a tag in a page header to help detect and prevent frame-based UI Redressing. IE 8, according to Microsoft, “will detect sites that insert the tag and give users a new error screen indicating that the content host has chosen not to allow their content to be framed, while giving users the option to open the content in a new window.” [9] According to NoScript's developer Giorgio Maone, however, this feature can be regarded as a work-around for Framekillers being broken on IE and, "if a web site owner is skilled and careful enough to implement" this countermeasure, "he will surely deploy the simple and understood JavaScript frame busting one-liner too, and every browser is equally protected".[8]

Microsoft's suggested solution[10], which has since also been implemented[11] in Apple's Safari web browser, is to check for a new HTTP header, X-FRAME-OPTIONS. This header can have two values, DENY and SAMEORIGIN, which will block any framing or framing by external sites, respectively.

Both Framekillers and IE8's mitigation approach, however, require web developers to protect vulnerable pages by modifying their content or the way they are served, although, even on "protected" pages, they cannot prevent plugin-based Clickjacking variants since they don't need frames. The NoScript add-on for Firefox remains the only free product providing automatic client-side protection, with no need for awareness and cooperation from the web site authors.[7]

References

  1. ^ Robert McMillan (2008-09-17). "At Adobe's request, hackers nix 'clickjacking' talk". PC World. Retrieved 2008-10-08.
  2. ^ Megha Dhawan (2008-09-29). "Beware, clickjackers on the prowl". India Times. Retrieved 2008-10-08.
  3. ^ Dan Goodin (2008-10-07). "Net game turns PC into undercover surveillance zombie". The Register. Retrieved 2008-10-08.
  4. ^ Fredrick Lane (2008-10-08). "Web Surfers Face Dangerous New Threat: 'Clickjacking'". newsfactor.com. Retrieved 2008-10-08.
  5. ^ Sumner Lemon (2008-09-30). "Business Center: Clickjacking Vulnerability to Be Revealed Next Month". Retrieved 2008-10-08.
  6. ^ Giorgio Maone (2008-10-08). "Hello ClearClick, Goodbye Clickjacking". hackademix.net. Retrieved 2008-10-27.
  7. ^ a b c Michal Zalevski (2008-12-10). "Browser Security Handbook, Part 2, UI Redressing". Google Inc. Retrieved 2008-10-27.
  8. ^ a b Giorgio Maone (2008-10-27). "Hey IE8, I Can Has Some Clickjacking Protection". hackademix.net. Retrieved 2008-10-27.
  9. ^ Mary Jo Foley (2009-01-26). "Near-final IE 8 test build ready for download". Retrieved 2009-01-26.
  10. ^ Eric Lawrence (2009-01-27). "IE8 Security Part VII: ClickJacking Defenses". Retrieved 2009-06-10.
  11. ^ Ryan Naraine (2009-06-08). "Apple Safari jumbo patch: 50+ vulnerabilities fixed". Retrieved 200906-10. {{cite web}}: Check date values in: |accessdate= (help)

See also