What you click is not what you get (part 1) - ERMES Intelligent Web Protection

Have you ever had that feeling that your click is not reaching the link or button below your cursor? Well, if so, you might have fallen victim of a Clickjacking attack!

What is Clickjacking?

Webpages often include content from other websites, by means of frames HTML tags (i.e., frame and iframe). Frames allow a website to include documents (and even entire websites) from external sources within its web pages. Frames are quite often used by websites for many legitimate reasons. For example, a webpage can embed the preview of a PDF document by means of a frame, with the preview service being provided by a third-party website. Similarly, also advertisements and multimedia content are often included on webpages via frames.

Problems arise when webpages include content of other websites via frames, but such content is not perceivable to the user. For example, the frame’s content can be rendered on the webpage with a very low opacity value, to make it visually transparent. Moreover, the frame can be placed above other page elements (by controlling is z-axe position via the HTML z-index attribute) and positioned at some x-y coordinate where the user is likely to click, for example by covering a link to an enticing article title. Therefore, when the user clicks on what she sees (e.g., a hyperlink), she is instead clicking on the invisible content of the other web site. That’s a classical clickjacking attack!

In general, we are in the presence of a clickjacking attack whenever the user is misled about what she is actually clicking on.

An example of Clickjacking attack

Historically, the term “clickjacking” has first appeared in 2008 and it is a composed word made of the words “click” and “hijacking”. The term was introduced by Jeremiah Grossman and Robert Hansen to describe their attack against Adobe Flash Player. A demonstration of their attack has been released a few days later, by security researcher Guy Aharonovsky.

The attack was realized with a webpage containing a seemingly innocent game which required the user to perform clicks on the page. A frame containing the Flash Player Setting Manager was included in the game webpage and the frame was made transparent. So, whenever a click was required to be stolen, the web page content was moved behind the transparent frame, so that the Flash Player Setting Manager registered the click. On the contrary, whenever the click had not to be hijacked, the web page content was moved above the framed content. Therefore, when a user played the game, every once a few clicks, she was unknowingly interacting with the Flash Player Setting Manager to activate webcam and microphone, thus hiddenly transforming the computer into a surveillance device sending audio and video to the attacker.

The following video shows the attack demonstration created by Guy Aharonovsky:

What are the security risks of a Clickjacking attack?

Now let’s try to generalize what it is possible to accomplish via a clickjacking attack. Think of any click-interactable web elements which can be found on any website, such as buttons, hyperlinks, forms, videos, etc. Now, an attacker can create an average looking page and invisibly include these click-interactable elements. The attacker may assign these elements a fixed position on the page, but he can also program them to move suddenly where the user is going to click, or to always stay under the mouse cursor. Basically, the attacker is in the position to trick the user in interaction with whatever content at will, without the user noticing. In short, the possibility space of a clickjacking attack just depends on the imagination and creativity of the attacker.

For instance, clickjacking is known to have been used to:

  • Trick users into turning on their webcam or microphone, by rendering invisible elements over the Adobe Flash settings page.
  • Liking and sharing content on social media (e.g., Facebook).
  • Steal money by tricking users into performing money transfers.
  • Steal website’s login credentials, by rendering fake login boxes on top of the real ones.
  • Spread worms on social media sites (e.g., Twitter), by tricking users into clicking on buttons, which cause them to re-post the location of a malicious page.
  • Trick users into posting messages on blogs and forums, so as to spread fake news, links to websites (in order to try augmenting visits to a website), links to malware.
  • Promote online scams by tricking people into clicking on things they otherwise would not. For example, ads involved in advertising click frauds.
  • Download malware by inducing users to click on malicious download links.
  • De-anonymize users by making them post comments or liking web pages as authenticated users (e.g., users authenticated on social media like Facebook).

The evolution of clickjacking

Since the first attacks of clickjacking have emerged, many more clickjacking-based techniques have been discovered.

Indeed, as many techniques are known to make a frame visually invisible, attacks can also be performed by keeping the frame content visible while covering elements within the frame to make the page look different (this is called UI Redressing). Moreover, besides clickjacking attacks that concern visibility, there are also temporal attacks. For example, when the user is going to click on some element of a page, a frame within that webpage can suddenly change position and/or resize in order to move where the user is clicking and capture the click.

In addition, a more modern modelling of clickjacking attacks includes techniques that go beyond framing. In fact, any form of hijacking, stealing, and interception of clicks fall under the clickjacking umbrella. For instance, a third-party script hosted by a website can perform some nasty action, such as adding invisible yet clickable elements to the page that, once clicked, will take the user to fishy webpages (e.g., aggressive advertisement, scam) or download malicious content (e.g., malware). In this case, we talk about Click Interception Attacks. This topic will be covered more in detail by another article on this blog.

How can a website avoid being framed?

Classic clickjacking attacks need to wrap the target website inside an iframe. To prevent this, a website, must ensure that it cannot be wrapped inside an iframe by other sites by giving the browser instructions directly via HTTP Headers (by using the legacy X-Frame-Options or the more recent Content-Security-Policy), or, for older browsers, by using client-side defensive JavaScript code (called frame-buster or frame-killing code) which detects whether the page is running in a frame and, if so, it blocks the iframing. A recent new possible protection can be provided by SameSite Cookie attribute. Cookies with a SameSite attribute value will not be included in requests made to a page within an iframe. Therefore, any clickjacking attack, that requires the victim to be authenticated (i.e., user signed in) on the framed website, will not work for those websites that handle authentication via cookies.

Unfortunately, webmasters have to actively enable these precautions to protect their systems. As a result, hundreds of thousands of popular websites in the web do not provide any control mechanism to avoid their pages to be framed by other websites.

What a user can do to stay protected?

Besides using some general best practices when browsing the web, the user alone cannot do much to avoid falling victim of clickjacking attacks.

The most perilous clickjacking attacks require a malicious website to frame authenticated webpages. Therefore, a user can avoid falling victim of these attacks by simply avoiding being authenticated on trusted websites when browsing other unknown and untrusted websites. As a generic rule, a user should open a new browser window to login on sensitive websites (e.g., bank, social media, private company websites, etc.…) and should logout from the websites as soon as it is done with them. While interacting with sensitive websites, the user should restrain himself from interacting with other webpages until it has logged out from the sensitive website.

While this practice is enough to defend a user from those clickjacking attacks that target authenticated websites, it cannot defend the user from falling victim of attacks that have other kind of targets. For example, this practice cannot protect the user from, e.g., being involved in an ad fraud, unwillingly clicking on invisible content which leads download malware, etc…

At ERMES, we design and develop innovative technologies to fully protect our users by recognizing, detecting, preventing, and blocking all forms of clickjacking attacks, as well as many other click interception attacks and malicious practices.