Hijacking Clicks On The Internet

"Clickjacking" One Of Most Serious New Web Risks

(CNET)  This story was written by CNET's Elinor Mills.

---

What if you reached to grab a newspaper out of a news stand and you found a rock in your hand instead? How about opening the front door to a grocery store and ending up on a boat?

This sounds like a Matrix movie, but the virtual equivalent of this is real and poses one of the most serious new risks on the Internet, according to Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security.

"Most exploits (like worms and attacks that take advantage of holes in software) can be patched, but clickjacking is a design flaw in the way the Web is supposed to work," Grossman said. "The bad guy is superimposing an invisible button over something the user wants to click on...It can be any button on any Web page on any Web site."

The technique was used in a series of prank attacks launched on Twitter in February. In that case, users clicked on links next to tweets that said "Don't Click" and then clicked on a button that said "Don't Click" on a separate Web page. That second click distributed the original tweet to all of the Twitter user's followers, thus propagating itself rather quickly.

At the time, Grossman called it a "harmless experiment," but the potential for harm by an attacker who isn't just having fun is huge.

In a demo at CNET offices on Thursday, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it. (Grossman also appeared on CNET Live to talk about clickjacking.)

Like the name suggests, clickjacking is the hijacking of your click, unbeknownst to you. A victim may not even know that the click has been redirected, which means there could be clickjacking attacks going on that no one knows about yet.

Clickjacking attacks are accomplished by creating something called an iFrame that allows a browser window to be split into segments so that different items can be shown on each. This code is inserted into the target Web page and is invisible to the end user. When the end user's cursor clicks on the section of the page where the malicious iFrame is hiding, the attack is launched to do whatever the attacker desires.

An attacker could hide an iFrame under any innocent link on any Web page--a headline on The New York Times or a "digg this" button on Digg, for instance--and when the victim clicks on the link, the cursor is actually clicking on the hidden iFrame.
In the Web cam demo, the iFrame created contains a Flash pop-up window that asks the user to grant permission to have the Web cam turned on. When the victim clicks the link, the Web cam is turned on and secretly begins recording everything the user does in front of the computer.

One of the scariest things about clickjacking is the potential for abuse. An attacker could spy on you by turning on your Web cam or microphone, direct you to a Web page with malicious content that is downloaded onto your computer, or even rig it up so you end up clicking "buy" instead of "cancel" on an e-commerce site.

Another thing that makes clickjacking so serious is that there really is very little that end users can do to protect themselves, Grossman said.

In the Web cam scenario, the best defense is probably to put a post-it note or other item over the Web cam lens and to disable the microphone in the software, he said. Flash Player 10 provides some protection by preventing anything from obscuring the security permissions dialogue box, he said.

Web site owners optimizing their sites for Internet Explorer 8 have the ability to prevent pages from being framed in, which means visitors to their site will be safe, only on that site and only if they are using
IE8, Grossman said.

People using Windows and IE should disable JavaScript to help protect against clickjacking, he said. Firefox is safer; the NoScript add-on for Firefox not only lets people selectively block scripts, but it has a ClearClick feature designed specifically to protect against clickjacking, he added.

People should also log out of Web sites, like Facebook and Twitter, when they are done using them for the time being. "You can't be forced to do something on the site if you are not logged in," Grossman said.

More details are in a white paper on the technique, written by Grossman and Robert Hansen of SecTheory and published in September 2008. Grossman and Hansen coined the term in that document.

The authors canceled their talk on the subject at the OWASP (Open Web Application Security Project) conference that month at Adobe's request because their proof of concept revealed a bug in Adobe's software, according to IDG News Service.

[aka_KJB]

This just happened to me today! Now I've got constant "Microsoft" alerts telling me to go buy some BS trojan / worm / malware program. I'd like to find every one of the people responsible and strangle them slowly by hand.

[stn_sage]

I'm less concerned about clickjacking and more concerned about all the illegal spying the various government organizations do upon one---while one is surfing the internet!

It slows down the paging tremendously, and when you're on a "board", their program slows down because it can't make the changes simultaneously as you make them in your writing---so it becomes apparent they are "on line" with you! And, your final writing often times reflects your original writing instead of the one with the corrections you made to it!

Hence, they can't monitor you WITHOUT interfering with what you are doing! Which, is not good because they aren't supposed to be spying on the public to begin with!

[gunownerdan]

Our votes have been hijacked by the 2 parties in charge for many years and nobody seemed to care.

[jjp735i]

My first thought after reading the story was If Firefox has a way to block this from happining, why is Microsoft not updating a way to do so also? Just another reason to use a different OS.

If you diable Java Script, many pages will not load correct or show content. The plus of that is less ads.

[inachu1]

Also those clicks made by Internet explorer that immitate the same sound and action of a real mouse click . It is mostly used by windows update feature.