There is a major and developing browser security issue called ‘Clickjacking’ – AKA User Interface Redress Attack (UIRA )– that is set to cause havoc with consumers and brands alike: are you ready for it? Brian Pettit, Technical Director at MCP talks us through what it is and how to combat it
Clickjacking is taking the internet by storm – but not in a good way. It is a malicious technique of tricking a web user into clicking on something different to what they thought they were clicking on, so by simply by browsing a seemingly innocuous web page, the user’s confidential information is potentially compromised or, even worse, they lose control of their device.
It involves a little bit of embedded code that can execute without the user’s knowledge that appears to perform one function, but actually performs another.
It is relatively new to the web, but there are already many examples of it and it is a growing problem when looking at how your site works and, especially for telemedia companies, what it means for compliance.
Examples seen out there in the web range from tricking users into making their social networking profile information public; downloading malware allowing a remote attacker to take control of device; fooling users to follow someone on Twitter or sharing links on Facebook; and Clicking Google AdSense ads to generate pay per click revenue.
But this is the tip of the iceberg: they can get much more ugly. One recent attack we have tracked on our Veriscanner monitoring tool involves an attacker building a website that has a button on it that says “click here for a free iPod”. However, on top of that web page, the attacker has loaded an iframe with the victim’s email account – and lined up exactly the “delete all messages” button directly on top of the “free iPod” button. The victim tries to click on the “free iPod” button, but instead actually clicks on the invisible “delete all messages” button. In essence, the attacker has “hijacked” the victim’s click, hence the name “Clickjacking”.
Another example where clickjacking can be put to even more sinister use is where an attack is made against the Adobe Flash plugin settings page. By loading this page into an invisible iframe, an attacker could trick a user into altering the security settings of Flash, giving permission for any Flash animation to utilize the computer’s microphone and camera.
Clickjacking has also made the news in the form of a Twitter worm. This clickjacking attack convinced users to click on a button that caused them to re-tweet the location of the malicious page, and propagated itmassively.
There have also been clickjacking attacks abusing Facebook’s “Like” functionality. Attackers can trick logged-in Facebook users to arbitrarily like fan pages, links, groups and more.
Clickjacking is sinister and, where many examples are more like pranks, there are many that give the hacker an in into the private world of the PC and all the information therein.
Clickjacking and PRS
Click Jacking, in the context of Premium Rate Services, is usually experienced when the Operator or Aggregator’s payment pages are, in some way, ‘interfered’ with. So when a user, on a Mobile Gateway connection, clicks on a merchant landing page to go to the payment page, the attacker can obfuscate the page (or a portion thereof) with some innocuous-looking ‘play’ or ‘continue’ button using iframe masking.
A methodology we have seen recently: Victim opens a ‘child’ (subordinate) page, which shifts their focus to it while keeping the ‘parent’ page invisible and with the aid of some simple scripting instructions from one to the other, a variety of java scripting methods are used by the attacker to auto-click confirmation buttons.
Other forms of click-jacking are possible in non-gateway environments; the most typical one being a request for MSISDN-entry while obfuscating the price.
I have mentioned a few defense tools in the box, but programmatically detecting all sources of Clickjacking is virtually impossible. At MCP, our solution is to detect the net effect – ie the incompliant payment pages. MCP has being working on a solution for some months and can now provide this capability to protect merchants against such attacks.
Tools for the defence
There are a few defense tools for website owners that may help protect them from these attacks:
- X-Framing Options will protect your website from being compromised:
- Using HTTPS on all of your websites
- Using HTTP header (HTTP Strict Transport Security – HSTS) should ensure communications between your website visitors and servers are safe.
- Move elements on your pages – A recent Facebook attack was possible because the Share link button was always placed in the same spot. When someone frames your site, he’s “blind”. Your browser knows where to render a button but it won’t be possible for an attacker to check where this button is. So position your button randomly.
The above helps, but here is no perfect solution for clickjacking protection yet. Given methods are not perfect, mostly because they affect your regular users and make it a bit harder for them to use your pages.
Brian Pettit is Technical Director at MCP