Lin-Shung Huang and Collin Jackson (Carnegie Mellon University)
Clickjacking attacks were originally described by Robert Hansen and Jeremiah Grossman in 2008 [1][2]. In these attacks, the attacker tricks the user into interacting with a malicious web page, but routes the user’s input to another web page that would result in undesirable consequences. A commonly used technique is to embed the targeted web page with a completely transparent IFRAME and lure the user to click on it unintentionally. There are plenty of known variants demonstrated by researchers, with or without JavaScript [3].
Clickjacking seems to have caught more attention since the exposure of widespread real-world exploits, including Tweetbomb [4] and Likejacking [5] worms. These attacks trick users to share malicious links to their friends, which quickly propagates across the social network. There are many potential consequences of clickjacking such as allowing click frauds or performing online payment, although the impact of these attacks in the wild is less clear. One concerning clickjacking PoC [6] allowed accessing the user’s webcam via Flash Player, fortunately this specific vulnerability has been fixed by Adobe.
Note that the security risks of transparent IFRAMEs have been discussed as early as 2002 [7]. However, disabling the transparency of cross domain IFRAMEs would break the functionality of some websites, yet still fail to prevent clickjacking attacks completely. Unarguably, designing a reliable clickjacking defense without breaking compatibility is non-trivial. Notably, Michal Zalewski offered some valuable insights on how browsers may help to prevent clickjacking [8], and ClearClick [9] can be used to provide automatic protection with some compatibility cost. The current solution for web pages to protect themselves is using JavaScript framekillers or the browser-enforced X-Frame-Options [10] to opt out of being framed. Given that framekillers may be circumvented [11] and X-Frame-Options has made its way into current major browsers (check Browserscope), the recommended defense for sensitive web pages is probably to deploy both.
However, popular web applications nowadays provide widgets (or social plugins, e.g. Facebook Like buttons) that are designed to be embedded by third party websites. It should be noted that previous solutions do not offer any protection for these widgets. Some attacks on widgets may even cause serious privacy implications. In the following sections, we first describe a practical de-anonymization attack on social network users, based on Likejacking. Then, we introduce a new type of click timing attack called double-clickjacking that can bypass current defenses and steal the user’s data from popular OAuth service providers. We would like to make clear that IFRAME-based defenses are ineffective. Moreover, clickjacking is not all about IFRAMEs.
Most users probably do not want to reveal their real identity when visiting random websites. We learned in Oakland 2010 [12] that it is feasible for a malicious website to uniquely identify 42% of the users in social networks that use groups based on browsing history leaks. Fortunately, the history sniffing technique required in their attack has been prohibited by major browsers thanks to David Baron’s fix [13]. However, we will explain how social network users can still be uniquely identified if they are tricked to perform a single click on a malicious website. We tested these attacks on all major browsers.
Facebook provides a Like button that can be embedded by third party websites and allows users to share content with friends and become a fan of a Facebook page with a single click. We already know that existing Likejacking worms can cause massive Like frauds, we further explore the possibility of websites using Likejacking to de-anonymize users in real-time. A web attacker who is an admin of a Facebook page and has his own server may craft a malicious web page to clickjack the Like button and fetch the user’s public profile.
Analogously, Twitter provides a Follow button that can be embedded by third party websites and allows users to become a follower of a Twitter account with a single click. A web attacker who owns a Twitter account and has his own server may craft a malicious web page to clickjack the Follow button and fetch the user’s public profile.
OAuth allows users to share private resources (e.g. photos, contacts, email) from one application to another application without handing out credentials. In the OAuth protocol workflow, the service provider typically displays a page asking the user to approve allowing the third party application to access the user’s private data. The key point here is that the user needs to click on the approval button to allow sharing his private data. One can imagine the serious consequences if the OAuth approval page can be clickjacked. Attacks using transparent IFRAMEs have been described in 2009 [14]. Fortunately, OAuth service providers such as Google have deployed X-Frame-Options on the approval page, thus previous attacks do not work. However, we demonstrate a double-clickjacking attack that can circumvent existing clickjacking defenses.
As mentioned, Google deploys X-Frame-Options on their OAuth approval pages. Although the attacker can no longer embed the approval page in an IFRAME, it is possible to load the approval page in a pop-under window. A pop-under window is a basically a popup window that is hidden behind the main browser window right after it was opened. Since modern browsers block popup windows unless triggered by user-initiated clicks, we require multiple clicks in this specific attack to bypass popup blockers. While our demo pulls data from the user’s Google contacts, a real attacker may also choose to read the user’s GMail messages. We tested the attack on current versions of 4 major browsers.
We’ve been experimenting other types of click timing attacks that do not require double-clicking. Another focus of our work is to provide a reliable clickjacking defense for web applications.
[1] R. Hansen and J. Grossman, “Clickjacking,” 2008.
[2] R. Hansen, “Clickjacking Details,” 2008.
[3] E. Vela, “About CSS Attacks,” 2008.
[4] M. Mahemoff, “Explaining the “Don’t Click” Clickjacking Tweetbomb,” 2009.
[5] Wikipedia, “Likejacking,” 2011.
[6] G. Aharonovsky, “Malicious camera spying using ClickJacking,” 2008.
[7] J. Ruderman, “Bug 154957 - iframe content background defaults to transparent,” 2002.
[8] M. Zalewski,“[whatwg] Dealing with UI redress vulnerabilities inherent to the current web,” 2008.
[9] G. Maone, “Hello ClearClick, Goodbye Clickjacking!” 2008
[10] E. Lawrence, “IE8 Security Part VII: ClickJacking Defenses,” 2009.
[11] G. Rydstedt, E. Bursztein, D. Boneh, and C. Jackson, “Busting frame busting: a study of clickjacking vulnerabilities at popular sites,” in Web 2.0 Security and Privacy (W2SP), 2010.
[12] G. Wondracek, T. Holz, E. Kirda, and C. Kruegel, “A Practical Attack to De-Anonymize Social Network Users,” in Proceedings of the 31st IEEE Symposium on Security and Privacy, 2010.
[13] D. Baron, “Preventing attacks on a user's history through CSS :visited selectors,” 2010.
[14] S. Sclafani, “Clickjacking & OAuth,” 2009.