Researcher shows new clickjacking methods

Two years after a serious clickjacking issue was first revealed, browsers and Web sites are still vulnerable

A computer security researcher has released a new browser-based tool that can be used to experiment with next-generation "clickjacking" attacks along with details of the four new techniques.

Clickjacking is a style of attack where a user is tricked into clicking on certain parts of a Web page with hidden buttons that perform malicious actions. The hidden buttons are delivered by an invisible iframe, which is a window that brings other content into the target Web site.

Clickjacking become well-known in 2008 after researchers Robert Hansen and Jeremiah Grossman discovered a kind of attack involving Adobe Systems' Flash application that could give remote access to a victim's Web camera and microphone.

Since that time, many Web sites and browser makers have taken steps to shore up their defenses, but the vast majority of sites are not protected, said Paul Stone, a security consultant with Context Information Security in the U.K. He revealed four new kinds of clickjacking attacks on Wednesday at the Black Hat conference that are effective against most Web sites and browsers.

Stone showed one demonstration that used the drag-and-drop API (application programming interface) implemented in all browsers. With some social engineering, users can be tricked into dragging an item on a Web page, which would cause text to be inserted into fields.

"There are many things that this could be used for," Stone said. "You could send fake e-mails from a user's account. You could also edit documents in some kind of document-editing system."

Stone also showed a content-extraction clickjacking attack, which could be used to steal tokens that are used to authenticate a session and guard against CSRF (cross-site request forgery) attacks. In a CSRF attack, a Web application is tricked into honoring a request from a malicious Web site.

Stone has developed a tool that developers can use to try out the new clickjacking techniques. It is available for download on his company's Web site.

The tool is a point-and-click browser-based application. It has a "visible" replay mode to see how exactly a particular attack works and also a "hidden" mode that shows the attack from the victim's perspective. The tool is in beta and works with Firefox 3.6, although Stone said they are working on compatibility with other browsers.

Stone recently discovered two browser-specific clickjacking vulnerabilities, one in Internet Explorer and one in Firefox, which have both been patched. Browser makers have also been implementing ways to guard against clickjacking.

Internet Explorer 8, Safari version 4 and higher and Chrome version 2 and higher now recognize an HTTP header called X-Frame-Options. As long as a Web page is tagged with that, the browsers will prevent the Web site from being rendered within a frame, which clickjacking requires. Mozilla is planning to have the feature in a future version of Firefox.

Web sites can also use JavaScript to obscure or hide content and also prevent a page from being displayed in an iframe. Facebook and Twitter use JavaScript, but do not use X-Frame-Options, according to Stone. Using JavaScript, however, is not completely effective.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags clickjacking

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender solutions stop attacks before they even begin! Get cybersecurity that 500 MILLION users already have and trust.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?