Clickjacking: Attacks and Defenses · • Root cause of clickjacking An attacker uses multiple...
Transcript of Clickjacking: Attacks and Defenses · • Root cause of clickjacking An attacker uses multiple...
University of CyprusDepartment of Computer Science
Advanced Security Topics
Clickjacking: Attacks and Defenses
Name: Elena ProdromouInstructor: Dr. Elias Athanasopoulos
Authors: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter, Collin Jackson
Carnegie Mellon UniversityMicrosoft Research
USENIX Security 2012
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 2
Outline
• The term “Clickjacking” was coined by Jeremiah Grossman and Robert Hansen in 2008
• A malicious technique that deceives a web user into interacting (in most cases by clicking) with something different to what the users believe they are interacting with
• Can send unauthorized commands or reveal confidential information while the victim is interacting with seemingly harmless web pages
CS682: Advanced Security Topics 3
Clickjacking: Definition (1/2)
• Root cause of clickjacking
An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page
• Some possible risks caused by clickjacking
– Web surfing anonymity can be compromised
– User’s private data and emails can be stolen
– Spy on a user through his webcam
CS682: Advanced Security Topics 4
Clickjacking: Definition (2/2)
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 5
Outline
CS682: Advanced Security Topics 6
Clickjacking: Examples
CS682: Advanced Security Topics 7
Clickjacking: Examples
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 8
Outline
Likejacking
• An attacker web page tricks users into clicking on a Facebook button by transparently overlaying it on top of an innocuous UI element
• It presents a false visual context to the user
CS682: Advanced Security Topics 9
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 10
Outline
Types of Context Integrity
• Attacker compromises context integrity of another app’s UI components
Visual Integrity
– What the user should see right before his sensitive action
– Sensitive UI element should be fully visible – Target display Integrity
– Pointer feedback (e.g. cursor) should be fully visible – Pointer Integrity
Temporal Integrity
– Ensures that the user action at a particular time is intended by the user
CS682: Advanced Security Topics 11
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 12
Outline
Existing Attacks
• Three kinds of clickjacking attacks
①Compromising target display integrity
② Compromising pointer integrity
③ Compromising temporal integrity
CS682: Advanced Security Topics 13
Compromising Target Display Integrity (1/2)
• Hiding the target element
– Using CSS opacity property and z-index property to hide target element and make other element float under the target element
– An attacker covers the target element with an opaque decoy
– Using CSS pointer-events: none property to make the decoy unclickable
CS682: Advanced Security Topics 14
z-index: -1
opacity: 0.1
Click event
pointer-event: none
Click event
• Partial Overlays
– Overlay other elements onto an iframe using CSS z-index property
– Visually confuse a user by obscuring only a part of the target element
• Cropping
– Wrapping the target element in a new iframe
15
Compromising Target Display Integrity (1/2)
Paypal Information
Pay to attacker: $ 1000
Paypal checkout
Paypal Information
Pay to attacker: $ 1000
Paypal checkout
Paypal iframe Paypal iframe
Pay to charity: $10
z-index: 1
cropping
• Hiding real cursor and creating a fake cursor
– An attacker displays a fake cursor icon away from the pointer, known as cursorjacking
– User misinterprets a click’s target
• Keyboard focus using strokejacking attack
– Simulate an input field getting focus, but actually the keyboard focus is on target element, forcing user to type some unwanted information into target element
CS682: Advanced Security Topics 16
Compromising Pointer Display Integrity
Keyboard focus using strokejacking attack
CS682: Advanced Security Topics 17
• Manipulate UI elements after the user has decided to click, but before the actual click occurs
• Bait and switch: As mouse comes near “Claim your free iPad” button, “Like” button moves to take it’s location before the user realizes it
• An attacker could ask the victim to repetitively click objects in a malicious game or to double click on a decoy button, moving the target element over the decoy immediately after the first click
CS682: Advanced Security Topics 18
Compromising Temporal Display Integrity
Consequences
• Tweetbomb
Hide tweet button and trick user to click on overlappingelements
• Facebook “Likejacking” attacks
• Attackers steal user’s private data by hijacking a button on the approval pages of the OAuth protocol (Open Authorization)
• Several attacks target the Flash Player webcam settings dialogs, allowing rogue sites to access the victim’s webcam and spy on the user
CS682: Advanced Security Topics 19
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 20
Outline
Existing anti-clicking defenses (1/3)
• Protecting Visual Context– User Confirmation: Ask user to re- verify the click event
– Degrades user experience on single-click buttons
– Vulnerable to double-click timing attacks, which could trick the victim to click through both the target element and a confirmation popup
– UI Randomization: Randomize the target element’s UI layout
E.g. Randomize the position of the pay button– Attacker may ask the user to keep clicking until successfully
guessing the Pay button’s location
– Opaque Overlay Policy: Forces all cross-origin frames to be rendered opaquely
– May break legitimate sites
CS682: Advanced Security Topics 21
– Framebusting: Not render the page or the target element inside an iframe (use X-Frame-Options and CSP’s frame-ancestors)
– Facebook “Like” button must be within an iframe
– Visibility Detection on Click: Block mouse clicks if the browser detects that the clicked cross-origin frame is not fully visible
– ClearClick: Comparing the bitmap of the clicked object on a given page to the bitmap of that object rendered in isolation
– May have a false positive problem on some sites
– ClickIDS: Alerting users only when the clicked element overlaps with other clickable elements
– Cannot detect attacks based on partial overlays or cropping
Non of those defenses guarantee pointer integrity!
CS682: Advanced Security Topics 22
Existing anti-clicking defenses (2/3)
• Protecting temporal context
– Give UI Delays: Give user enough time to comprehend any UI changes by imposing a delay after displaying a dialog, so that user cannot interact with the dialog until the delay expires
– The length of the UI delay is a tradeoff between the user experience penalty and protection from temporal attack
CS682: Advanced Security Topics 23
Existing anti-clicking defenses (3/3)
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 24
Outline
New Attack Variants
• Authors constructed and evaluated three attack variants using known clickjacking techniques
①Cursor spoofing attack to steal webcam access
②Double click attack to steal user private data
③Whack-a-mole attack to compromise web surfing anonymity
CS682: Advanced Security Topics 25
Cursor spoofing attack to steal webcam access
CS682: Advanced Security Topics 26
The target Flash Player webcam settings dialog is at the bottom right of the page, with a “skip this ad” bait link remotely above it
Double click attack to steal user private data
CS682: Advanced Security Topics 27
• Bait-and-switch attack : the attack page baits the user to perform a double-click. After the first click and before the second click, attacker switches user focus to Google OAuth pop-up window under the cursor
Whack-a-mole attack
CS682: Advanced Security Topics 28
• Ask user to click as fast as possible, and suddenly switch Facebook Like button to user
• After the click, immediately check the list of like to get the profile of clicking victim
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 29
Outline
InContext Defense
• Authors propose a defense, InContext, to enforce context integrity of user actions on the sensitive UI elements
• When target display integrity and pointer integrity are satisfied then the system activates sensitive UI elements and delivers user input to them
CS682: Advanced Security Topics 30
Guaranteeing Target Display Integrity (1/2)• Not all web pages of a web site contain sensitive operations and are
susceptible to clickjacking• Authors let web sites indicate which UI elements or web pages are
sensitive
• Strawman 1: CSS checkingLet the browser check the computed CSS styles of elements and make sure the sensitive element is not overlaid by cross origin elements− Not reliable since new CSS properties comes out
• Strawman 2: Static reference bitmapLet a web site provide a static bitmap of its sensitive element as a reference, and let the browser make sure the rendered sensitive element matches the reference– Different browsers render HTML differently– Fails when sensitive elements contain animated content
CS682: Advanced Security Topics 31
• Compare the OS-level screenshot of the area that contains the sensitive element (what the user sees), and the bitmap of the sensitive element rendered in isolation at the time of user action
• If these two bitmaps are not the same, then the user action is canceled and not delivered to the sensitive element, and the browser triggers a new oninvalidclick event
CS682: Advanced Security Topics 32
Guaranteeing Target Display Integrity (2/2)
• No cursor customization: InContext disables cross-origin cursor customization on the host page when a sensitive element is present
• Screen freezing around sensitive element: disable animations distracting the user’s attention
• Muting: loud noise could trigger a user to quickly look for a way to stop the noise. So, mute the speakers when a user interacts with sensitive element
CS682: Advanced Security Topics 33
Guaranteeing Pointer Integrity (1/2)
• Lightbox around sensitive element: use a randomly generated mask to overlay all rendered content around the sensitive UI element whenever the cursor is within that element’s area
• No programmatic cross-origin keyboard focus changes: disallow programmatic changes of keyboard focus by other origins
CS682: Advanced Security Topics 34
Guaranteeing Pointer Integrity (2/2)
Ensuring Temporal Integrity (1/2)
• UI delay: the click on the sensitive UI element will not be delivered unless the sensitive element has been fully visible and stationary long enough
• UI delay after pointer entry: impose the delay each time the pointer enters the sensitive element
CS682: Advanced Security Topics 35
• Pointer re-entry on a newly visible sensitive element: browser invalidates input events until the user explicitly moves the pointer from the outside of sensitive element to the inside
• Padding area around sensitive element: add a padding around sensitive element to let user distinguish whether the pointer is on the sensitive element
CS682: Advanced Security Topics 36
Ensuring Temporal Integrity (2/2)
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 37
Outline
Experiments
• Posted a Human Interactive Task (HIT) at Amazon’s Mechanical Turk
• Each task consisted of a unique combination of a simulated attack and, in some cases, a simulated defense
• 2064 participants were assigned uniformly and at random to one of 27 treatment groups
• 10 treatment groups for the cursor-spoofing attacks
• 4 for the double click attacks
• 13 for the whack-a-mole attacks
CS682: Advanced Security Topics 38
Experiments on Cursor-spoofing attacks
• Authors’ attack tricked 43% of participants to click on a button that would grant webcam access
• Several defenses reduced the rate of clicking • Timeout- Wait for ad full video end• Skip- Click on the “Skip ad” link• Quit- Quit the task with no pay• Attack success- Click on webcam “Allow” button
CS682: Advanced Security Topics 39
Experiments on Double-click attacks
• 47% of users are attacked successfully and would grant access to their personal Google data
• Timeout- OAth “Allow” button is not clicked within 2 seconds
• Quit- Quit the experiment
• Attack success- Click the OAth “Allow” button
CS682: Advanced Security Topics 40
Experiments on Whack-a-mole attacks
• Timeout- Did not click on the target button within 10 seconds• Attack success- Click on the “Like” button knowingly• On 1st Mouseover- User clicked on the “Like” button right after 1st
mouse over the “Like” button (unknowingly)• Filter by survey- User clicked on the “Like” button unknowingly• Combined defense: pointer re-entry, appearance delay of 500 ms,
display freezing, and padding (M) 41
• Clickjacking: Definition
• Clickjacking: Examples
• Likejacking
• Types of Context Integrity
• Existing Attacks
• Existing Defenses
• New Attack Variants
• InContext Defense
• Experiments
• Conclusion
CS682: Advanced Security Topics 42
Outline
Conclusion
• Authors devised new clickjacking variants which bypass existing defenses
• Proposed InContext, a web browser or OS mechanism to ensure that a user’s action on a sensitive UI element is in context, having visual integrity and temporal integrity
• Experiments show that their attacks are highly effective
• InContext defense can be very effective for clickjackingattacks
CS682: Advanced Security Topics 43
CS682: Advanced Security Topics 44
Name: Elena ProdromouEmail: [email protected]
QUESTIONS ?
University of CyprusDepartment of Computer Science
Advanced Security Topics
Clickjacking: Attacks and Defenses