Project Management

Clickjacking: Potentially harmful Web browser exploit

Clickjacking has the potential to redirect unknowing users to malicious web sites or even spy on them. We all need to be aware of clickjacking and how to avoid its trappings.

TechRepublic's Paul Mah made first mention of clickjacking in this Security News Roundup. At that time, security researchers Robert Hansen, founder of SecTheory, and Jeremiah Grossman, CTO of WhiteHat Security, weren't able to divulge a great deal about the vulnerability, as they were in talks with the major browser developers as well as Adobe. I'd like to personally commend them for making the choice to act responsibly and give developers time to fix the problems.

What is clickjacking?

Clickjacking takes advantage of the fact that a Web page isn't just two-dimensional. Web pages have virtual depth, and that's where clickjacking lives. Clickjacking uses a vulnerability that allows code to be embedded on a Web page, changing how the Web page responds to input. In the following quote by the researchers, one can see the extent and variations of clickjacking that are possible:

"First of all let me start by saying there are multiple variants of clickjacking. Some require cross domain access, some don't. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don't. Some variants use CSRF to pre-load data in forms, some don't. Clickjacking doesn't cover any one of these use cases, but rather all of them. That's why we had to come up with a new term for it -- like the term or not. As CSRF didn't fit the requirements for clickjacking, we had to come up with a new term to avoid confusion."

For example, let's say I'm on what appears to be my banking Web site. I then click on a button that brings me to my accounts. The only problem is that button didn't bring me to my accounts; it brought me to a page that looks like my account or it carried out a completely different operation than what I expected. Robert Hansen gave an interesting example of what's possible with clickjacking:

"Say you have a home wireless router that you had authenticated prior to going to a legitimate web site. The attacker places a tag under your mouse that frames in a single button that could order the router to, for example, delete all firewall rules. That would give them an advantage in an attack."

The second example is more insidious as attackers wouldn't have to worry about mimicking or compromising legitimate Web sites.

Smile, you're on candid camera

You may have been wondering why I mentioned Adobe earlier. Well, they're in the middle of this vulnerability, too. Exploiting a vulnerable version of Flash Player software with clickjacking could allow the attacker to turn on computer-connected webcams and microphones, actually spying on the user.

This vulnerability is already out in the wild; Flash developer Guy Aharonovsky published a proof-of-concept (PoC) demonstration on his Guya.net Wweb site. The actual demonstration is currently disabled, but the video depicts how the attack occurs. There are several interesting comments and references to other articles about clickjacking on the Guya Web site as well.

TechRepublic editor Selena Frye's recent article "Flash Player 10 Performing Better on Linux, Mac OS" mentions several reasons why the new release is significant. Flash Player 10 is also significant because of the code Adobe recently added to eliminate the clickjacking vulnerability. In fact, in the security bulletin "Flash Player Update Available to Address Security Vulnerabilities" released on October 15, 2008, Adobe pointed out the only recourse users have is to update to version 10 of Flash Player. If you want to know what version of Flash Player is installed on your computer and where to download the latest version, you can do so at the Adobe Flash Player Web site.

More Clickjacking details

When Mr. Grossman and Mr. Hansen initially presented the details of this vulnerability, Adobe asked them to not go public with the exploit until they (Adobe) had a fix. With the release of the PoC on the Guya Web site and almost simultaneous release of Flash Player 10, the researchers finally didn't have any reason not to discuss the details of the vulnerability. You can read about all 12 issues at the ha.ckers.org Web site.

How to eliminate the vulnerability?

The one obvious fix is to update to Flash Player 10 if at all possible. As for Web browsers, it's more difficult. If you're using Firefox, I'd suggest upgrading to version 3 and installing all the latest patches. You may have heard me mention NoScript before. Giorgio Maone the developer of NoScript has been in contact with Mr. Grossman, and both are of the mind that NoScript will in almost all cases prevent clickjacking attacks. The only problem is that NoScript isn't intuitive, and a majority of users will get frustrated with it almost immediately.

As for other browsers Giorgio Maone published "Clickjacking and Other Browsers (IE, Safari, Chrome, and Opera)" on his Hackademix.net Web site, where he explained what, if anything, can be done to prevent clickjacking attacks while using IE, Safari, Chrome, or Opera.

Final thoughts

It's still early in the discussion stage, so the fallout from clickjacking is hard to predict. Most experts believe clickjacking is a big deal and can only be truly rectified by redesigning the browsers. What I find more alarming is the following quote by Mr. Hansen:

"When Jeremiah and I were looking at clickjacking, we found all kinds of random browser bugs, tons of bugs and a mess load of flaws. A lot of them were unrelated to clickjacking. But as other researchers start looking at clickjacking, they'll find their own interesting bugs."

That's not a very comforting thought, but I'm glad they're looking.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

95 comments
Michael Kassner
Michael Kassner

I have a few updates about clickjacking that might be of interest. First I have a link to a web site that has an active demonstration of how clickjacking actually works: www.planb-security.net/notclickjacking/iframetrick.html#really Second, I wanted to pass along some information about NoScript. I just recently found out that even if you disable NoScript (allow all web sites) the ClearClick application will still protect you from clickjacking. That's a really good thing for users that don't want to be bothered by NoScript asking whether to allow the web site or not.

Michael Kassner
Michael Kassner

Is everyone updating to Flash Player 10? Forgive my harping about this, but I'm concerned as no one is discussing it and the Adobe vulnerability is a viable clickjacking PoC exploit that's out in the wild.

fatman65535
fatman65535

While 'No Script' does an outstanding job of stopping scripts; sometimes a good approach is to block crap so that it does not even get on to your machine. For that, I use Add Blacker Plus, another Firefox addon. With it, I can block content from any part of a site; to COMPLETE sites. Example, before i opened this browser session, I had reset the 'hit' statistics. The two sites with the most hits and junk blocked in this session are adlog.com.com/* at 87 hits, and i.i.com.com/*/Ads/* at 86 hits. Other sites that generate a lot of hits are: 2o7.net, akamai.net, atdmt.com, doubleclick.net, google-analytics.com, googleadservices.com, and googlesyndication.com. Then, there is Ad Blocker Plus Element Hider, which, once you get the 'hang' of it, will allow you to "seek out and destroy" undesired junk. Find an objectionable ad on your web page, a few clicks, and it is never seen again. You have no idea how much better somesites are, when free of obnoxious crap. A good example is this page itself. most of you have "stuff" to the right of the text. I do not, it is all hidden, thanks to the use of element hiding rules. No Script and Ad Blocker Plus are 2 reasons why I will NEVER go back to using Internet Exploder.

d_g_l_s
d_g_l_s

can be averted by using a secure password on the router. Without a login to the router it can't be accessed. Too many of my clients are still using the default password and have even found one without any password. Simple to fix. I try to teach all my clients how to create and maintain their secure passwords.

Michael Kassner
Michael Kassner

I forgot to mention that Network Security has a great podcast about clickjacking. The reporters talked to both Robert Hansen and Jeremiah Grossman about clickjacking. Just remember that the podcast was recorded before the PoC was released so the two were hesitant to reveal anything that would exacerbate the problem. http://netsecpodcast.com/?p=107

Doug Vitale
Doug Vitale

Mr. Kassner, I agree with your assessment that "The only problem is that NoScript isn???t intuitive and a majority of users will get frustrated with it almost immediately." I was one of those users who found NoScript to be such a hassle that I stopped using it altogether. Given this new "clickjack" threat, I might have to reinstall and try to live with it again. There is another anti-malware tool, RemoveAdmin, that forces browsers to launch without administrative privileges even when the user is logged on as an administrator. I am curious as to whether this measure would halt clickjacking in its tracks. From the product description: "This installer installs a small proxy program and corresponding shortcuts for Firefox and IE that will remove administrative rights when launching either Web browser, respectively. After installation, completely quit from the browser you are using, then launch it with the "Secure" shortcut. Now go to your favorite Web page, right click, "View Source", then try to save the corresponding HTML (imagine it is rogue code) in a sensitive area, e.g., C:Windows. You will be unable to do so. This program removes administrative rights when launching your browser." http://downloads.zdnet.com/abstract.aspx?kw=removeadmin&docid=356369

Humberto Jemma
Humberto Jemma

Are you sure? Did you test it? This would be great!

d_g_l_s
d_g_l_s

for me as I have to get to my clients and help them get this updated. Most of them are not able to handle the full steps of uninstalling and reinstalling to get this accomplished. As I've said before, thanks for reminding us of this.

Neon Samurai
Neon Samurai

I was hopeful after reading that they had "fixed the issues with Flash Player on Linux based OS" until I saw that there is still no 64bit build. I downloaded the 32bit build and tried to run it through nspluginwrapper but all I get is a blank box where the flash object should apear. The browser does not ask to download the plugin every time I go to youtube but the plugin also does not load and display. Hey, Adobe, what's the problem? You take the 64bit libraries and compile against those instead of the 32bit libraries. You are obliged to do so by your own success in making Flash a part of every website. "just install the 32bit browser on your 64bit OS" is not an acceptable bug fix.

JD@Tassie
JD@Tassie

Just updated to Flash 10 thanks to this topic. Thanks for the heads-up! Other than that I should be ok as I've been using FF3 since final and NoScript since 1.5(I think...a long time anyway!) Another question though. On the work PCs a lot of other staff use IE (I've tried to convert them - I also tried blocking use of IE but got too many complaints). I haven't bothered to update the machines to IE7. Should I from a security perspective? Final question, with IE (and FF too I guess), does a Flash update remove the previous version or should I uninstall all versions prior to update?

Greenknight_z
Greenknight_z

Been using Flash 10 since it was a RC. As for AdBlock Plus - it's a more troublesome extension, from what I see on the support forums. Flash content is what really slows Firefox down, anyway.

d_g_l_s
d_g_l_s

post in that some don't realize that the default setup for Linksys is a password of admin and D-Link is worst by not even providing a password. We techs need to be on top of this kind of simple setup and teach our clients how simple and yet how important it is to have this secured. Scare them abit if you have to or you might lose your job if they blame you after the fact.

Michael Kassner
Michael Kassner

I think this attack could take place when you are personally logged in to the router. The button you click could conceivably do something totally opposite from what you expected.

btljooz
btljooz

I went to Cnet's Download.com page and tried to download this thing and my Avast AV cried like never before! X-(

Michael Kassner
Michael Kassner

NoScript is pretty unique as it's an in-browser security enhancement. RemoveAdmin belongs to an entirely different (and highly populated) class of security software e.g., sandboxes and privilege downgraders. They're helpful in limiting the damage when some malware *evades* your browser, by preventing the malware from messing with your local filesystem. They're completely useless against *in-browser* threats like ClickJacking, XSS (cross-site scripting), or CSRF (cross-site request forgery). Against those types of attacks there's nothing placed outside the browser that can help. One recourse would be web site developers implementing better server-side security, which at this time doesn't appear to be happening. So, for now NoScript is the only complete defense available to end-users.

The 'G-Man.'
The 'G-Man.'

The example states: ?Say you have a home wireless router that you had authenticated prior to going to a legitimate web site. The attacker places a tag under your mouse that frames in a single button that could order the router to, for example, delete all firewall rules. That would give them an advantage in an attack.? The firewall / router is not part of the PC so this would not help.

Michael Kassner
Michael Kassner

As several of the members suggested NoScript takes getting used to. I'm starting to, but I see where it will be a total pain to most users and they will disable it. As for Remove Admin, I'll try to find out if that's accomplishing the same thing. I'm by no means an expert, so I'm partially guessing when I say that I don't think it is. Clickjacking relies on IFrames and I believe that will still be enabled. I will try to ask this question of Giorgio (NoScript) developer and see what he has to say. Thanks for sharing your information. Also don't forget about upgrading to Flash Player 10, to me that's a simple task. I'd hate to have someone watching or listening to me.

Michael Kassner
Michael Kassner

This is a quote from Giorgio: "I would add that, even if NoScript in its default configuration plus "Forbid " already defeated all ClickJacking attempts, latest NoScript versions (1.8.2 and above) added a specific anti-ClickJacking technology called "ClearClick" and working independently from content blocking (yes, even if you've got "Allow scripts globally", provided that you check the [x] trusted ClearClick option)." I hope that helps.

Michael Kassner
Michael Kassner

Could you let us know how it goes. I for one would be very interested to hear how the users react to it.

Michael Kassner
Michael Kassner

When I updated some clients to IE 7 or Flash Player 10, I didn't remove the earlier versions. I could be wrong, but I don't remember reading anything saying specifically that they needed to be removed first. Your users will like IE7 much better simply from the tabs. The phishing filter will be a pain until they get used to that though. Are you running the latest version of NoScript? If not you should as it uses a different method (ClearClick) to avoid the problem I mentioned in the article. Giorgio did that so legitimate IFrame web pages will work correctly.

Michael Kassner
Michael Kassner

You have to explain that. I doubt that you aren't using Flash Player. Forgive me if I'm wrong.

Michael Kassner
Michael Kassner

I guess the Flash Player exploit maybe old news to the members. It is a relatively easy and useful update. It would just be kind of creepy if you found out that someone was watching or listening to you via your computer.

fatman65535
fatman65535

About a year ago, i heard of something called a 'drive by router attack'. It sounds somewhat similar to what you are speaking about. The attack that I heard about involved a rigged web page that attempted to determine the manufacturer of your router and crash it by using its default password to gain access. What made this attack more dangerous is that it came from the user's PC, behind the firewall. You could have disabled the setting to allow internet side access to the router's setup page; but you have to be able to gain access in order to maintain it. I told everyone I knew that has these inexpensive routers to CHANGE THE PASSWORD immediately. In fact to get the point across to one person, I asked him to obtain his IP address, and come over to my place. I had entered his IP address in my browser, and I was displayed the router's setup page. That is when he realized how much damage I could have done. For those who lamented: "I could forget the password"; my response was to use the serial number of the router, or put an adhesive label on the bottom of the router with the password. How hard can that be????

d_g_l_s
d_g_l_s

people log onto the router and are active on the internet at the same time? Sure am thankful you and others involved in this uncovering have brought this all to our attention. Many thanks to you.

JCitizen
JCitizen

if they issue a fix. Avast has sensitive enough hueristics it should complain. Remove Admin is new enough to duck under the radar of many AV companies. It seems to surprise many of them when customers submit files for processing; which I always found rather curious?

JCitizen
JCitizen

with the depth that Internet Explorer has access to the kernel. Would running with restricted priveleges augment this anymore than it does already?

Michael Kassner
Michael Kassner

Giorgio has been kind enough to contact me and will either answer the question raised or tell me and I'll pass them along. That's very cool on his part, I'm impressed.

JCitizen
JCitizen

I haven't had the guts to download RemoveAdmin yet. The concept is very attractive if it works. I know my clients are ready to try it anyway out of desparation; I will gather reports as soon as possible.

Michael Kassner
Michael Kassner

I personally don't have any x64 equipment, so I don't know the answer. I'll try to find out though.

JCitizen
JCitizen

I'm really getting behind on the news; my project keeps me very busy plus add on clients. I will have to try all this with FF and see if x64 Vista throws any wrenches in the works!

Michael Kassner
Michael Kassner

I'm having other issues with NoScript that I'm not liking. It really slows my browser down, but I suspect that's because I'm using FF3 portable.

Michael Kassner
Michael Kassner

In a series of tests, I've come to the conclusion that it's WoT. I have NoScript installed and the load and reload are normal speed. If I install WoT, FF 3 portable slows down to an unacceptable rate. I uninstall FF3 and all the add-ons and reinstall FF3 plus NoScript it works at what I consider an acceptable load rate. Interesting to say the least.

Humberto Jemma
Humberto Jemma

In my experience, there's no slowdown, but I never used FF3 portable. It's intriguing, anyway, because it's not what I expected. As far as I know, NoScript checks links to other pages in the foreground, while the main page is being loaded, so there could be some slowdown. But WoT checks this links in the background, after the main page is loaded. I didn't expect any slowdown, here. It could be the way FF3 portable handles page caching. Someone have any ideas?

Michael Kassner
Michael Kassner

Have you seen any page loading slow-down due to NoScript or WoT? I use FF3 portable,NoScript and WoT really slow it down. A for instance, when trying to scroll down some of these long comment sections, the browser stops about half way through and the resumes after about 3 seconds. Disabling or uninstalling NoScript and WoT changes nothing . I have to delete and reload FF3 portable. Then the page scroll works fine. I was curious if you have seen this or have any ideas?

d_g_l_s
d_g_l_s

the issues some may have with using NoScript, but there is also the issue of inertia. People don't want to change so changing from IE to FireFox is just as hard as introducing the NoScript.

Michael Kassner
Michael Kassner

I live by Secunia as well. I ran the scan and came up with the same results. So, I'm sorry for misleading you. Flash has some misleading information at their web site. I also suspect that they aren't as security conscious as Secunia. Thank you for clearing that up.

JD@Tassie
JD@Tassie

Thanks for the info about uninstalling old flash. But for your interest, I have just checked my system (with flash 10) at home with a handy tool from Securina called Personal Software Inspector (http://secunia.com/vulnerability_scanning/personal/). It detects that old unsecure flash plugin components ( is still in my system32 folder. I double-checked my flash version (http://www.adobe.com/shockwave/welcome/) and it is v10.0.12.36. I ran the flash uninstall utility and reinstalled v10 and its fine now. I always update NoScript to the latest version (it auto checks plugins at Ff startup). I have just updated Ff to 3.0.3 as well (I was running 3.0.1). Will download IE7 later today and install that too.

Tony Hopkinson
Tony Hopkinson

:D You have not got Flash player installed, Click here to install it now. NO ! Nasty 'orrible bandwidth hogging, wastful, inefficient, buggy, and a virus magnet. Don't need it, not having it.

d_g_l_s
d_g_l_s

routers which has been covered in other posts. This one is about attacks through your web connection, even without a wireless.

JCitizen
JCitizen

that the really sophisicated execution files such as this recognize a login session just like a lot of password vaults do. If the user ID is Admin, this would be the tipoff for the less complicated ones. Most of them would simply start attempting HTTPS logins in the back ground to gain access to the simple settings like "password" for the factory defaults of known makes and models of routers. The more sophisticated would simply start a routine that keys the control/commands of known webpage or command line controls for common routers; after any successful HTTPS logon session. I am kind of slopping this together from bits and pieces I read about known attacks, what has happened to me, and forums/articles about the subject.

Michael Kassner
Michael Kassner

I think that might work as the executable would just have to be cognizant of the fact that the router is typically the default gateway.

JCitizen
JCitizen

could lurk around for a while, if not discovered by your AV/AS defenses, and attack the router upon login. I know I log into mine regularly enough, this makes me nervous. Fortunately when I see the syslogs picking up egress attempts(in real time), I am able to thwart most threats. I also hope my GPL version and vendor is weird enough, the malware isn't coded to recognize it.

Michael Kassner
Michael Kassner

How the rollout works. I would be very curious to learn how the users deal with it.

d_g_l_s
d_g_l_s

due to the fact that you and the others on this Forum have done an excellent job of presenting this and with the automatic setup of Giorgio's latest version it's quite simple to work with. I shall be contacting my clients and helping them upgrade their security in this regard. Thanks.

Michael Kassner
Michael Kassner

Your comments are very much appreciated. Also, stay tuned. Giorgio (the NoScript developer) has contacted me and will respond personally to several of the member's questions or tell me and I'll pass on his answers. Very cool.

JCitizen
JCitizen

I've put my linux project on the back burner trying to migrate to Vista x64. You have to use Windows if you want open cable compliant capability. Is'nt that hoot? Hollywood uses Windows Media Center to run their DRM,but the code for QAM is open source!

btljooz
btljooz

I'll look into the link you provided Michael. And JC, long ago ...as in several *years*... I did pick up viruses from CNET on several occasions. But that was before (and probably why) they started scanning/checking what was offered on their site (possibly, I wasn't the only one). That's why I try to go straight to the vender's site to acquire my zip files directly from the "horse's mouth". The fact that CNET does now scan for garbage is also why it took my by surprise that Avast cried like it did. At this time I have a problem with something related to that XP Antivirus malware thing that I'm in the midst of dealing with. I made the colossal mistake of using the XP box to do some research with, evidently landing on an infected site. As soon as I have the time to continue the process and see that that problem is solved, I'll try the same thing I did before to see if Avast cries yet again. Right now I'm on my PCLinuxOS 2007 laptop. B-) EDITED: Tried to make the msg a bit more clear.

Michael Kassner
Michael Kassner

I know that Symantec asks you how many levels you want inspected so that has a impact as well.

JCitizen
JCitizen

sometimes the zipfile is important to be recognized, as the AV only has a few milliseconds to react to it before the payload injects into the session. I submit files of every kind to the respective vendors, it really does make a difference. I commonly only wait about a week or two before an update fixes the problem. I have NEVER had a problem installing any file from CNET(download.com),FileHippo,Softpedia, or MajorGeeks, to name a few. Using only trustworthy sites named in reputable forums such as Tech Republic can get people going until they learn to trust other sites through time and experience. Site Advisor and watching the green URL listed under search links can keep one out of trouble too. At least when Google keeps their site cleaned up. Remove admin is just one of many in depth defenses one can use. Many of my clients refuse to give into the malware crackers and give up their web functionality. Operating as a restricted user can probably be more effective, until you are ready to actually download something for administrative purposes.

btljooz
btljooz

Avast cried when I simply tried to download the [b]zipfile[/b] of the program. I never install a prog directly from a website unless I'm absolutely forced to. I always simply 'grab' the zip of a prog so I can install it in either Safe Mode ~OR~ with all apps in msconfig shut off during installation. So, you think I should try downloading the zip again and then send the info to Alwil should Avast cry yet again? ?:| I really do try not to take any unnecessary chances on getting my computer infested. That's why I reacted like I did. :8} In addition, if Remove Admin doesn't address clickjacking what [u]is[/u] is it good for? What exactly does it do? How does it do it? How does that protect a computer from [i]what[/i]? ?:| ?:| ?:| Thank you for that suggestion and thank you in advance for any answers you may be able to give me regarding my questions. :)

Michael Kassner
Michael Kassner

Clickjacking is all about the browser and user rights aren't really involved with the attack vector.

Master G
Master G

About the router firewall - Unless you already have form of clickhijacking feature or some sort of listener embedded and running within your browser it can be done. So if it runs a script that does many things and one on its list is to check router username and password information for default security - if not found then it just needs to find your default gateway to get your router so it's easy for an embedded app to do that. Once found, clickhijack will wait until you decide to access your router and listen for your keys just a keylogger would do. Then it can use that information to disable any security features. That's one of the things is doing while other part of the clickhijack program listens to other clicks, monitoring any access and checking for secure sites to fake any login page. Thanks for the Michael, very interesting.

JCitizen
JCitizen

this post. Remove admin would at least be a part of an in depth defense. Some of the test pages I go to, don't work because I have registry firewalls for known exploits like those, or even if the attack redirect is successful, one of my host file or re-direct blocks keeps me from being sent to the malicious server. This does nothing for new threats of course; but my clients insist on web-functionality and I play in the minefields to see how to mitigate or minimize the damage for them.

Michael Kassner
Michael Kassner

Giorgio mentions in a later post that Remove Admin would not help in this case. I suspect it has many other interesting possibilities.