You don't know (click)jack

Robert Lemos

SecurityFocus

Researchers Robert Hansen of SecTheory LLC and Jeremiah Grossman of WhiteHat Security planned to reveal the details of an attack against browsers late last month, yet pulled the presentation at the request of Adobe.

 What we also know is the attack has been largely underestimated and undefended by the Web security community in general. Post Black Hat 2008, some research we were conducting was furthered by using clickjacking. 

The technique, which is also known as user-interface (UI) redress and IFRAME overlay, can be used by an attacker to hide a button or link on a legitimate page, such as a bank's account page or Web mail application, using other Web content to mask the page's context. Using well-placed graphics, an attacker could persuade a victim to click where an attacker wants on a page.

While browser makers had known about the possibility of user-interface redress, or "clickjacking" as Hansen and Grossman call the technique, the two security researchers had found at least one major security implication: The attack also affected one of Adobe's products.

Hansen and Grossman chatted with SecurityFocus managing editor Robert Lemos to talk about clickjacking as well as possible solutions to the problem.

SecurityFocus : What is clickjacking? How does it work?

Grossman: Think of any button -- image, link, form, etc. -- on any website, internal or external, that you can get to appear between the Web browser walls. This includes wire transfer on banks, DSL router buttons, Digg buttons, CPC advertising banners, and Netflix queues. Next consider that an attacker can invisibly hover these buttons below the user's mouse, so that when a user clicks on something they visually see, they're actually clicking on something the attacker wants them to.

Now, what could the bad guy do with that ability? The potential is limitless. The more we researched, the worse the exploits became. Several different flaws exposed themselves, making a once underestimated attack technique extremely scary.

Is this a problem that you and Robert discovered? Or has it been known before this? How did you come to focus on this issue?

Grossman: Robert and I discovered the clickjacking attack technique for ourselves around a year and a half ago. Recently we've been told that the Web browser vendors knew of the issue as early as 2002. What we also know is the attack has been largely underestimated and undefended by the Web security community in general. Post Black Hat 2008, some research we were conducting was furthered by using clickjacking.

Why discuss it now? Has anything changed in regards to the threat level of this?

Grossman: We felt the true power of clickjacking was not well known or fully investigated, so we planned to present it at the OWASP conference. What we didn't know -- didn't realize -- at the time was that one of our proof-of-concept demo examples used a zero-day in an Adobe product. This further verifies that clickjacking has many uses other than what people have given it credit for.

What are likely ways that an attacker could use clickjacking? Are these easy attacks?

Grossman: Other than the examples cited in question #1, attackers can also bypass token-based CSRF (cross site request forgery) protections. This on its own is a really big deal.

Is Javascript required to execute these attacks?

Grossman: Having JavaScript turned on in the Web browser makes clickjacking attacks easier to perform, but strictly speaking it's not always required for successful exploitation.