Clickjacking attacks use visual deceptions to persuade website visitors into clicking on user interface components that trigger actions on a different website. In 2008, security researchers Jeremiah Grossman and Robert Hansen introduced the term 'clickjacking' after finding vulnerabilities in Adobe's Flash player. This article illustrates the mechanics of a clickjacking attack, purpose, types and provides strategies for prevention.
What is Clickjacking?
Clickjacking is a deceptive method used by attackers to manipulate users into clicking on webpage elements without their awareness. This is achieved by overlaying transparent layers on seemingly harmless elements, which can mislead users into unintentionally taking actions that pose security threats.
For example, a user might be enticed by a website offering a tempting prize. When the user clicks on a button to claim the prize, their click is covertly used to make a purchase on an e-commerce site. Typically, this exploit involves concealing the user interface of the target website and positioning the visible interface in a way that obscures the user's awareness of clicking on the target site. This type of attack is commonly referred to as UI redressing or a UI redress attack.
What Purposes Does Clickjacking Serve?
Clickjacking attacks extend beyond simply redirecting cursor clicks. They can also be utilized to acquire information, illicitly transfer funds, intrude on user privacy, and achieve other actions such as:
- Acquiring login credentials (password less authentication methods can mitigate this risk)
- Illegally transferring money
- Making unintended purchases
- Revealing user location
- Activating a user's microphone or camera
- Downloading malware
- Garnering additional social media followers (known as likejacking)
- Stealing browser cookies (referred to as cookie jacking)
- Accessing files stored on the user's hard drive (known as file jacking)
How Clickjacking Attack Works?
Hidden Elements: The attacker designs a malicious webpage containing invisible elements or elements positioned off-screen.
Overlaying Targeted Website: These invisible elements are then layered over a seemingly harmless or enticing section of another website, referred to as the target website.
Deceptive Content: These concealed elements might cover buttons, links, or interactive features of the target website, leading users to believe they are interacting with genuine content.
User Interaction: When users visit the attacker's webpage, they are unaware they are actually interacting with invisible elements placed over the target website.
Unintentional Clicks: Users, thinking they are engaging with visible content of the target website, may click on buttons, links, or perform actions without realizing they are interacting with transparent or hidden elements from the attacker's page.
Exploiting Trust: Clickjacking exploits the trust users have in the appearance and functionality of familiar websites. Users assume they are interacting with legitimate elements of the site, unaware of the manipulation.
Concealing Malicious Actions: Attackers use clickjacking to deceive users into unknowingly executing actions on the target website, such as making unauthorized transactions, altering account settings, or divulging sensitive information.
iFrame Embedding: Clickjacking often involves embedding the target website within an invisible iframe on the attacker's page. This setup allows the overlay of elements from the attacker's page onto the target website.
Camouflaging Attacks: Attackers can disguise clickjacking elements to blend seamlessly with the target website, making it challenging for users to detect malicious activity.
Potential Exploitation: Depending on the attacker's objectives, clickjacking can be exploited for various purposes, including distributing malware, stealing sensitive data, initiating unauthorized actions, or generating fraudulent clicks for advertising purposes.
Types of Clickjacking Attack
Likejacking: Likejacking involves deceiving users into clicking a concealed "Like" button on social media platforms, like Facebook. This can result in unintended endorsements of content, the propagation of malicious links, or the boosting of specific posts' popularity.
Cursorjacking: Cursorjacking manipulates the user's cursor position to induce interactions with unintended elements. This can lead to actions such as inadvertent clicks, form submissions, or interactions with hidden content.
Filejacking: Filejacking exploits the file input feature in HTML forms. By overlaying a transparent layer over a file input button, attackers can trick users into unknowingly selecting and uploading files.
Cookiejacking: Cookiejacking is a UI redress attack aimed at stealing a user's cookies. By manipulating the user into performing a drag-and-drop action on a webpage, attackers can access and exploit the victim's cookie data. This allows them to impersonate the victim and perform actions on websites as if they were the legitimate user.
Clickjacking Threats to PayPal: Exploiting Money Transfer Services
In 2022, a security researcher H4x0r_dz has exposed vulnerability in PayPal's money transfer service that could enable attackers to deceive victims into making unauthorized transactions through clickjacking techniques.
This method involves manipulating users into interacting with seemingly harmless elements on a webpage for malicious purposes, such as downloading malware, redirecting to harmful sites, or divulging sensitive information.
The researcher identified a flaw in a PayPal endpoint (paypal[.]com/agreements/approve) originally intended for billing agreements. Contrary to its intended use of processing only billingAgreementToken tokens, the endpoint also accepted a different type of token.
Exploiting this vulnerability, an attacker could embed a specific iframe that, when interacted with by a logged-in user, could trigger the transfer of funds to an account controlled by the attacker with a simple click of a button.
How to Prevent Clickjacking?
Protecting your website from clickjacking attacks involves both client-side and server-side strategies.
Client-side Prevention:
On the client side, there are several methods to prevent clickjacking, all focused on browser security.
Intersection Observer API: Most modern browsers support the Intersection Observer API, which detects the visibility of elements on a webpage. This can help identify if content is being invisibly manipulated within an iframe.
Browser Add-ons: Tools like NoScript and NoClickjack are available as browser add-ons to defend against clickjacking, although their compatibility varies across different browsers.
Frame Busting: Frame busting utilizes JavaScript to prevent a webpage from loading within an iframe, even on older browsers that may not support newer prevention methods like the Intersection Observer API or HTTP headers.
Server-side Prevention:
From the server side, implementing multiple prevention methods strengthens defenses against clickjacking.
X-Frame-Options Header: Adding the X-Frame-Options header to HTTP responses allows servers to dictate whether a webpage can be displayed within an iframe. Options like SAMEORIGIN and DENY restrict framing to the same origin or disallow it entirely, respectively.
Frame-ancestors Directive in Content Security Policy (CSP): As part of Content Security Policy (CSP), the frame-ancestors directive controls which domains can embed framed content. It supersedes X-Frame-Options in modern browsers when both are present.
SameSite Cookie Attribute: While primarily used to prevent cross-site request forgery (CSRF), the SameSite attribute in cookies also mitigates clickjacking by restricting cookie transmission from third-party origins.
Additional Considerations:
Beyond technical measures, awareness and caution among users play crucial roles in preventing clickjacking:
- Beware of Social Engineering:
Users should exercise caution when interacting with unfamiliar pop-ups, emails, or links to mitigate the risk of falling prey to clickjacking tactics.
Conclusion: Clickjacking represents a significant threat in cyber security, utilizing visual deception to manipulate users into unwittingly performing actions on websites. Coined by security researchers Jeremiah Grossman and Robert Hansen in 2008, clickjacking involves overlaying transparent or opaque elements on a webpage to trick users into interacting with hidden or malicious content. This technique serves various nefarious purposes, from unauthorized transactions and data theft to the installation of malware and manipulation of user actions.
To mitigate these risks, both client-side and server-side defences are essential. Client-side measures include leveraging modern browser features like the Intersection Observer API, using protective browser add-ons, and employing JavaScript techniques like frame busting. On the server side, implementing HTTP headers like X-Frame-Options and directives within Content Security Policy (CSP) such as frame-ancestors helps restrict unauthorized framing of web content. Additionally, attributes like SameSite cookies and user education on social engineering tactics are crucial in fortifying defences against clickjacking.
By adopting a multi-layered approach combining technical solutions with user awareness, organizations can effectively protect against the evolving threat landscape posed by clickjacking attacks.
Reference:
Comments