Clickjacking - What is it?

Posted Monday, October 20, 2008 3:50 PM by hwaldron

While clickjacking is not a new concept, it's gaining popularity as technique used for malicious websites.  As iFrames are logical divisions of a webpage, the approach is to create a "transparent iFrame page" that lines up exactly with the real web page being accessed. The buttons in the "invisible iFrame page" replace the buttons in the real web page.  When the user clicks on the button, they may allow malicious software to be loaded or security at the true site they were trying to access to become compromised.

The Adobe Flash facility is one of the most widely installed software products in the world, as it's used by all major browsers.  Adobe Flash (v9 and lower) is vulnerable to these attacks and it's a popular method now being used to achieve clickjacking.  To stay protected from this threat, users should move to Adobe Flash v10, keeping AV protection updated, keep all O/S and browsers updated, and avoid risky websites.   

Clickjacking - What is it?

QUOTE: Let’s use an example. You have a web page A controlled by an attacker. A contains an IFRAME element B. In a clickjack attack, B would be set to transparent and the z-index property of the layer set to higher than other elements of page A via CSS. B will also need to be so big so that the user can click it’s content. The attacker can then place any button to do anything he wants in B. Then the attacker can place some buttons on page A. The location of the buttons in B must match the buttons in A. So when the user clicks on a button on page A, they are actually clicking the button in B because the z-index property of B’s buttons are higher than A’s buttons. This attack uses DHTML, does not require Javascript, so disabling Javascript will not help.

This vulnerability affects multiple web browsers. Unfortunately, no patch for it is currently available, so users should be careful. The vulnerability has also been found to affect Adobe Flash Player, the most popular rich media internet application today. Adobe has released a security advisory and provided a workaround.

Clickjacking - Adobe recommended workarounds (move to version 10)


No Comments