Thursday, May 13, 2010

Web users still at risk from clickjacking

Web users are still vulnerable to so called clickjacking despite its having been around for some time. Clickjacking, also known as UI redressing, is a malicious technique of tricking Web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous Web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.

Clickjacking became well-known in 2008 after researchers Robert Hansen and Jeremiah Grossman discovered a type of attack involving Adobe Systems' Flash application that could give remote access to a victim's Web camera and microphone. Since that time, many Web sites and browser makers have taken steps to shore up their defences, but the vast majority of sites are not protected.

Social networking sites are particular targets, but the attacks might go further. And no browser is immune. Opening the Twitter interface Brizzly in Google Chrome might display the following warning: "Though it looks like it, there's a chance you're NOT looking at This may have been a clickjacking attempt. Best advice: close this window or tab and type to get back to Brizzly". But the user may receive no warning at all.

The basic idea is that an attacker loads the content of an external site into the site being visited, sets the external content to be invisible and then overlays the page the user is looking at. When a link is clicked on the page one may in fact be clicking on the externally loaded page and about to load whatever the attacker intends.

"Clickjacking was first announced two years ago, but most sites aren't protected against it," says Paul Stone, a security consultant with Context Information Security in the UK, "And people don't realize how it works."

Facebook and Twitter both have suffered from clickjacking -- in December, Facebook was hit with an attack that came in the form of a comment on a user's account with a photo and a link. The link took the victim to a Web page that presented like a CAPTCHA or Turing test, and lured the user into clicking on the blue "Share" button on the Facebook page. A Web developer, meanwhile, released a proof-of-concept attack against Twitter that allowed an attacker to hijack a member's "update" function [Dark Reading].

In the end, there doesn't appear to be a an easy, or even complete, solution to the issue and where there are work arounds, they often create further problems [WebMonkey / Information Week]. All the major browser makers will have to address this issue soon as the issue may become more serious than just hitting social network sites. Banking and financial sites could also be compromised in the same way.Website designers also need to take the warnings seriously. These attacks, Stone says, work in the many versions of Internet Explorer, Firefox, Safari, and Chrome. However, some have begun to address the issue. Internet Explorer 8, Safari version 4 and higher and Chrome version 2 and higher now recognize an HTTP header called X-Frame-Options. As long as a Web page is tagged with that, the browsers will prevent the Web site from being rendered within a frame, which clickjacking requires. Mozilla is planning to have the feature in a future version of Firefox.

tvnewswatch, Beijing, China

No comments: