Clickjacking: Attacks and Defenses · • Root cause of clickjacking An attacker uses multiple...

University of CyprusDepartment of Computer Science

Advanced Security Topics

Clickjacking: Attacks and Defenses

Name: Elena ProdromouInstructor: Dr. Elias Athanasopoulos

Authors: Lin-Shung Huang, Alex Moshchuk, Helen J. Wang, Stuart Schechter, Collin Jackson

Carnegie Mellon UniversityMicrosoft Research

USENIX Security 2012

• Clickjacking: Definition

• Clickjacking: Examples

• Likejacking

• Types of Context Integrity

• Existing Attacks

• Existing Defenses

• New Attack Variants

• InContext Defense

• Experiments

• Conclusion

CS682: Advanced Security Topics 2

Outline

• The term “Clickjacking” was coined by Jeremiah Grossman and Robert Hansen in 2008

• A malicious technique that deceives a web user into interacting (in most cases by clicking) with something different to what the users believe they are interacting with

• Can send unauthorized commands or reveal confidential information while the victim is interacting with seemingly harmless web pages


Clickjacking: Definition (1/2)

• Root cause of clickjacking

An attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top level page

• Some possible risks caused by clickjacking

– Web surfing anonymity can be compromised

– User’s private data and emails can be stolen

– Spy on a user through his webcam


Clickjacking: Definition (2/2)



• Likejacking






• Experiments

• Conclusion


Outline


Clickjacking: Examples



• Likejacking






• Experiments

• Conclusion


Outline

Likejacking

• An attacker web page tricks users into clicking on a Facebook button by transparently overlaying it on top of an innocuous UI element

• It presents a false visual context to the user




• Likejacking






• Experiments

• Conclusion


Outline

Types of Context Integrity

• Attacker compromises context integrity of another app’s UI components

Visual Integrity

– What the user should see right before his sensitive action

– Sensitive UI element should be fully visible – Target display Integrity

– Pointer feedback (e.g. cursor) should be fully visible – Pointer Integrity

Temporal Integrity

– Ensures that the user action at a particular time is intended by the user




• Likejacking






• Experiments

• Conclusion


Outline

Existing Attacks

• Three kinds of clickjacking attacks

①Compromising target display integrity

② Compromising pointer integrity

③ Compromising temporal integrity


Compromising Target Display Integrity (1/2)

• Hiding the target element

– Using CSS opacity property and z-index property to hide target element and make other element float under the target element

– An attacker covers the target element with an opaque decoy

– Using CSS pointer-events: none property to make the decoy unclickable


z-index: -1

opacity: 0.1

Click event

pointer-event: none

Click event

• Partial Overlays

– Overlay other elements onto an iframe using CSS z-index property

– Visually confuse a user by obscuring only a part of the target element

• Cropping

– Wrapping the target element in a new iframe

15

Compromising Target Display Integrity (1/2)

Paypal Information

Pay to attacker: $ 1000

Paypal checkout

Paypal Information

Pay to attacker: $ 1000

Paypal checkout

Paypal iframe Paypal iframe

Pay to charity: $10

z-index: 1

cropping

• Hiding real cursor and creating a fake cursor

– An attacker displays a fake cursor icon away from the pointer, known as cursorjacking

– User misinterprets a click’s target

• Keyboard focus using strokejacking attack

– Simulate an input field getting focus, but actually the keyboard focus is on target element, forcing user to type some unwanted information into target element


Compromising Pointer Display Integrity

Keyboard focus using strokejacking attack


• Manipulate UI elements after the user has decided to click, but before the actual click occurs

• Bait and switch: As mouse comes near “Claim your free iPad” button, “Like” button moves to take it’s location before the user realizes it

• An attacker could ask the victim to repetitively click objects in a malicious game or to double click on a decoy button, moving the target element over the decoy immediately after the first click


Compromising Temporal Display Integrity

Consequences

• Tweetbomb

Hide tweet button and trick user to click on overlappingelements

• Facebook “Likejacking” attacks

• Attackers steal user’s private data by hijacking a button on the approval pages of the OAuth protocol (Open Authorization)

• Several attacks target the Flash Player webcam settings dialogs, allowing rogue sites to access the victim’s webcam and spy on the user




• Likejacking






• Experiments

• Conclusion


Outline

Existing anti-clicking defenses (1/3)

• Protecting Visual Context– User Confirmation: Ask user to re- verify the click event

– Degrades user experience on single-click buttons

– Vulnerable to double-click timing attacks, which could trick the victim to click through both the target element and a confirmation popup

– UI Randomization: Randomize the target element’s UI layout

E.g. Randomize the position of the pay button– Attacker may ask the user to keep clicking until successfully

guessing the Pay button’s location

– Opaque Overlay Policy: Forces all cross-origin frames to be rendered opaquely

– May break legitimate sites


– Framebusting: Not render the page or the target element inside an iframe (use X-Frame-Options and CSP’s frame-ancestors)

– Facebook “Like” button must be within an iframe

– Visibility Detection on Click: Block mouse clicks if the browser detects that the clicked cross-origin frame is not fully visible

– ClearClick: Comparing the bitmap of the clicked object on a given page to the bitmap of that object rendered in isolation

– May have a false positive problem on some sites

– ClickIDS: Alerting users only when the clicked element overlaps with other clickable elements

– Cannot detect attacks based on partial overlays or cropping

Non of those defenses guarantee pointer integrity!



• Protecting temporal context

– Give UI Delays: Give user enough time to comprehend any UI changes by imposing a delay after displaying a dialog, so that user cannot interact with the dialog until the delay expires

– The length of the UI delay is a tradeoff between the user experience penalty and protection from temporal attack





• Likejacking






• Experiments

• Conclusion


Outline

New Attack Variants

• Authors constructed and evaluated three attack variants using known clickjacking techniques

①Cursor spoofing attack to steal webcam access

②Double click attack to steal user private data

③Whack-a-mole attack to compromise web surfing anonymity


Cursor spoofing attack to steal webcam access


The target Flash Player webcam settings dialog is at the bottom right of the page, with a “skip this ad” bait link remotely above it

Double click attack to steal user private data


• Bait-and-switch attack : the attack page baits the user to perform a double-click. After the first click and before the second click, attacker switches user focus to Google OAuth pop-up window under the cursor

Whack-a-mole attack


• Ask user to click as fast as possible, and suddenly switch Facebook Like button to user

• After the click, immediately check the list of like to get the profile of clicking victim



• Likejacking






• Experiments

• Conclusion


Outline

InContext Defense

• Authors propose a defense, InContext, to enforce context integrity of user actions on the sensitive UI elements

• When target display integrity and pointer integrity are satisfied then the system activates sensitive UI elements and delivers user input to them


Guaranteeing Target Display Integrity (1/2)• Not all web pages of a web site contain sensitive operations and are

susceptible to clickjacking• Authors let web sites indicate which UI elements or web pages are

sensitive

• Strawman 1: CSS checkingLet the browser check the computed CSS styles of elements and make sure the sensitive element is not overlaid by cross origin elements− Not reliable since new CSS properties comes out

• Strawman 2: Static reference bitmapLet a web site provide a static bitmap of its sensitive element as a reference, and let the browser make sure the rendered sensitive element matches the reference– Different browsers render HTML differently– Fails when sensitive elements contain animated content


• Compare the OS-level screenshot of the area that contains the sensitive element (what the user sees), and the bitmap of the sensitive element rendered in isolation at the time of user action

• If these two bitmaps are not the same, then the user action is canceled and not delivered to the sensitive element, and the browser triggers a new oninvalidclick event


Guaranteeing Target Display Integrity (2/2)

• No cursor customization: InContext disables cross-origin cursor customization on the host page when a sensitive element is present

• Screen freezing around sensitive element: disable animations distracting the user’s attention

• Muting: loud noise could trigger a user to quickly look for a way to stop the noise. So, mute the speakers when a user interacts with sensitive element


Guaranteeing Pointer Integrity (1/2)

• Lightbox around sensitive element: use a randomly generated mask to overlay all rendered content around the sensitive UI element whenever the cursor is within that element’s area

• No programmatic cross-origin keyboard focus changes: disallow programmatic changes of keyboard focus by other origins


Guaranteeing Pointer Integrity (2/2)

Ensuring Temporal Integrity (1/2)

• UI delay: the click on the sensitive UI element will not be delivered unless the sensitive element has been fully visible and stationary long enough

• UI delay after pointer entry: impose the delay each time the pointer enters the sensitive element


• Pointer re-entry on a newly visible sensitive element: browser invalidates input events until the user explicitly moves the pointer from the outside of sensitive element to the inside

• Padding area around sensitive element: add a padding around sensitive element to let user distinguish whether the pointer is on the sensitive element


Ensuring Temporal Integrity (2/2)



• Likejacking






• Experiments

• Conclusion


Outline

Experiments

• Posted a Human Interactive Task (HIT) at Amazon’s Mechanical Turk

• Each task consisted of a unique combination of a simulated attack and, in some cases, a simulated defense

• 2064 participants were assigned uniformly and at random to one of 27 treatment groups

• 10 treatment groups for the cursor-spoofing attacks

• 4 for the double click attacks

• 13 for the whack-a-mole attacks


Experiments on Cursor-spoofing attacks

• Authors’ attack tricked 43% of participants to click on a button that would grant webcam access

• Several defenses reduced the rate of clicking • Timeout- Wait for ad full video end• Skip- Click on the “Skip ad” link• Quit- Quit the task with no pay• Attack success- Click on webcam “Allow” button


Experiments on Double-click attacks

• 47% of users are attacked successfully and would grant access to their personal Google data

• Timeout- OAth “Allow” button is not clicked within 2 seconds

• Quit- Quit the experiment

• Attack success- Click the OAth “Allow” button


Experiments on Whack-a-mole attacks

• Timeout- Did not click on the target button within 10 seconds• Attack success- Click on the “Like” button knowingly• On 1st Mouseover- User clicked on the “Like” button right after 1st

mouse over the “Like” button (unknowingly)• Filter by survey- User clicked on the “Like” button unknowingly• Combined defense: pointer re-entry, appearance delay of 500 ms,

display freezing, and padding (M) 41



• Likejacking






• Experiments

• Conclusion


Outline

Conclusion

• Authors devised new clickjacking variants which bypass existing defenses

• Proposed InContext, a web browser or OS mechanism to ensure that a user’s action on a sensitive UI element is in context, having visual integrity and temporal integrity

• Experiments show that their attacks are highly effective

• InContext defense can be very effective for clickjackingattacks



Name: Elena ProdromouEmail: [email protected]

QUESTIONS ?

University of CyprusDepartment of Computer Science

Advanced Security Topics

Clickjacking: Attacks and Defenses

Clickjacking: Attacks and Defenses · • Root cause of clickjacking An attacker uses multiple...

Documents

Transcript of Clickjacking: Attacks and Defenses · • Root cause of clickjacking An attacker uses multiple...