Clickjacking 2.0 with drag & drop

At the Black Hat Europe hacker conference that has just concluded in Barcelona, British IT security expert Paul Stone demonstrated a new generation of clickjacking attacks. Clickjacking involves a crafted web site inserting a transparent iFrame underneath the cursor. Believing themselves to be clicking on the displayed web page, users in fact find themselves clicking on control elements (e.g. buttons) on a transparent iFrame from another website.

Stone's demos are not limited to clicks – he can also enter text into forms or read documents opened in the victim's browser or the page source. Stone makes use of the drag and drop API provided by modern browsers such as Internet Explorer, Firefox, Chrome and Safari. Rather than getting victims to click on specific locations, Stone gets users to drag objects or text from visible windows into an invisible iFrame.

This could, for example, become relevant where a user is logged into a social networking site and opens another page from the site in an invisible frame, into which the user then unknowingly places content. According to Stone, the browser's same origin policy would not spring into action in this scenario, as elements would be being moved from one site to the next with the user's involvement. Using this method, Stone can circumvent restrictions such as those aimed at preventing cross-site request forgeries.

Conversely, drag and drop can be used to copy or move content from an open window into an attacker's invisible window. According to Stone, this could in principle by used to access a web site's HTML, which could include a session ID or authentication token. This would allow an attacker to hijack a complete session.

The attacks become even more crafty when Java and JavaScript are thrown into the mix. According to Stone, Java's drag and drop API is more powerful than the browser's. Attackers can, for example, dispense with marking text by dragging, instead requiring just a single click. By combining the attack with JavaScript, it is possible to issue the drag command whenever you want – even when the cursor is not over the Java applet or when the user is not holding down the left mouse button.

Java also makes it possible to fill in a form much more quickly. Instead of waiting for a mouse movement and a click for each field, an attacker can fill in all fields on one fell swoop. 'Spraying', as this has been dubbed, works in Windows and Mac OS X, but not in Linux.

This kind of attack can be thwarted by the trusted site's web server sending an "X-FRAME-OPTIONS: DENY" header to the browser, which prevents the (invisible) page from being displayed in a frame. However, only very recent browser versions, such as Internet Explorer 8, Safari 4 and Chrome 2, are aware of this option, although Firefox will include it in a future version. Stone points out that high traffic sites such as facebook.com, googlemail.com and twitter.com are now protected against clickjacking, though not, according to experts, the mobile versions of these sites, which are optimised for smartphones.

Stone has published a tool to help developers better understand how clickjacking works. The tool illustrates the modus operandi of several attacks, both older and more recent, by means of a specially created website.

See also:

• Clickjacking problem in browsers persists, a report from The H.
• Popular browsers continue to be vulnerable to clickjacking attacks, a report from The H.

Uli Ries

(Uli Ries / crve)