Saturday, July 9, 2011

Clickjacking Attacks Unresolved

Clickjacking attacks were originally described by Robert Hansen and Jeremiah Grossman in 2008 [1][2]. In these attacks, the attacker tricks the user into interacting with a malicious web page, but routes the user’s input to another web page that would result in undesirable consequences. A commonly used technique is to embed the targeted web page with a completely transparent IFRAME and lure the user to click on it unintentionally. There are plenty of known variants demonstrated by researchers, with or without JavaScript [3].

Clickjacking seems to have caught more attention since the exposure of widespread real-world exploits, including Tweetbomb [4] and Likejacking [5] worms. These attacks trick users to share malicious links to their friends, which quickly propagates across the social network. There are many potential consequences of clickjacking such as allowing click frauds or performing online payment, although the impact of these attacks in the wild is less clear. One concerning clickjacking PoC [6] allowed accessing the user’s webcam via Flash Player, fortunately this specific vulnerability has been fixed by Adobe.


No comments: