In association with heise online

19 January 2010, 13:57

Clickjacking problem in browsers persists

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A new demo exploit proves that browser vendors still haven't found an effective way of protecting users against clickjacking attacks. Clickjacking involves trying to position items such as a transparent iFrame underneath a visitor's mouse pointer on a specially crafted web page. This fools users into performing an undesired action when clicking on an apparently innocuous item.

The demo exploit now published by Israeli programmer Narkolayev Shlomi impressively demonstrates the problem in Facebook. By making users believe they are clicking on a harmless web page link, instead the clicked exploit adds an app to the user's Facebook account. Victims must be logged into Facebook for the attack to be successful, but this is quite a common scenario.

Similar attacks were launched on services such as Twitter last year. The effect of clickjacking attacks is similar to that of cross-site request forgery attacks (XSRF). However, the two methods are fundamentally different. Clickjacking isn't easily prevented. With XSRF, instructing the server to embed an unguessable, user-related token into the URL is enough to render most attacks ineffective. With clickjacking attacks, on the other hand, protection cannot be achieved via server settings.

According to the US media, Facebook intends to counteract such attacks via blacklists that prevent links to specially crafted web pages from being spread through the social networking system. However, this approach doesn't solve the basic problem. Clickjacking, which was discovered more than a year ago, principally also affects many other web pages and users.

Under Firefox, the NoScript plug-in detects clickjacking attacks and prevents them via its protective ClearClick mechanism. Internet Explorer is generally also vulnerable to clickjacking attacks. However, Microsoft integrated an, albeit passive, anti-clickjacking feature into IE version 8. The web server of the trusted page has to add "X-FRAME-OPTIONS: DENY" to the header it sends to the browser to prevent the page from being displayed in a frame. This makes it impossible to "superimpose" (invisible/transparent) items on specially crafted web pages.

If a page doesn't send this signal, however, there is no protection. How many web server operators and web interface developers already include the proprietary header remains unknown.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit