Monday, September 15, 2008

(Cancelled) / Clickjacking - OWASP AppSec Talk

“Clickjacking,” the presentation Robert “RSnake” Hansen and I had planned for OWASP AppSec NY 2008, has been postponed due to vendor request.

The premise of Clickjacking is that we know a lot about what JavaScript malware is capable of once a user comes in contact with an attacker-controlled webpage (or a page with their code on it) such as history stealing, intranet hacking, phishing with superbait, Web worms, browser exploit, and so on, but comparably little about what can be done with a captured “click”. Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. What could they possibly do then?

With Clickjacking attackers can do quite a lot. Some things that could be pretty spooky. Things also performed, with a fair amount of ingenuity, quite easily. Over the past couple of weeks/months RSnake and I have been completing our PoC examples to demonstrate the potential attacks and sharing the results privately with a few industry colleagues to obtain a third-party opinion. At the time, we believed our discoveries were more in line with generic Web browsers behavior, not traditional “exploits,” and that guarding against Clickjacking was largely the browser vendors' responsibility. Clickjacking is a well-known issue, but severely underappreciated and largely undefended, and we hope to begin changing that perception.

One Clickjacking PoC utilized an Adobe product with an attack technique they considered to be a critical issue, we just hadn’t realized it, so we narrowly avoided 0-day’ing them! Considering the short notice, Adobe requested additional time in case the browser vendors do nothing to prevent Clickjacking. High severity issue #2 in Internet Explorer 8 would have potentially given the aforementioned issue persistent qualities. There was/is a third issue with websites in general, which would have required all website owners to make an update, but that would obviously be impossible to do so. Again, better fixed by the browser vendors. With much of our technical details taken off the table waiting for patches and/or new safeguards we weren’t left with much to convey the true power of Clickjacking other than what’s already known.

Postponing our OWASP talk wasn’t an easy decision to make as we put a lot of time and effort into the presentation. We apologize to the attendees and had every intention of releasing mind-blowing stuff. At this time just about everyone out there using the latest versions of Internet Explorer (including version 8) and Firefox 3 is affected. Please be assured that as soon as we’re able to expose the information we will do so. In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.

Adobe PSIRT (psirt@adobe.com)

More to come.

23 comments:

Anonymous said...

I just read about your work on "clickjacking" in The Register:

http://www.theregister.co.uk/2008/09/16/critical_vulnerability_demo_pulled/

I am curious to find out if clickjacking was used to infect one of my customers PCs with a Trojan. My customer used Google to find a company called Scovill. When you glide over the link within Google, it shows:

http://www.scovill.com

But if you click on the link, it redirects you to a site that tries to convince you that your system is infected with viruses.

I am not an expert, but I initially believed that they are using an .htaccess redirect to send the user to the malicious site. How can I confirm whether or not they are using your clickjacking technique?

Jeremiah Grossman said...

Anonymous, from your description, it does not sound like a clickjacking exploit. That would probably not be what the attack would be used for. More likely your friend suffers from a typical malware or drive-by-download problem.

--David said...

I am of the skeptical nature, so are there 'harmless' or 'mostly harmless' demos you can provide to show/prove this is something that would ACTUALLY be used? I would appreciate it, as would other skeptics, I'm sure. Thanks.

Anonymous said...

Hi,
Just tried that url using Konqueror on Linux - this is indeed a clickjack as I understand the term. I suspect that the domain has been nicked in some way, becaus eI think Scovill are a real firm. The Google cahce of their webpage looks quite real.
Anthony Staines

Anonymous said...

@Anonymous: You may be looking at something called "Trojan.Qhosts". There are multiple variants in the wild

Robert Xiao said...

No, the link is legit. It looks like their server has been compromised.

Try wget --header="Referer: http://google.com" http://www.scovill.com

You will see it redirects off to the fake antivirus site. But if you leave off the referer, you get their real site.

As for clickjacking: it seems surprising that a major vulnerability, which affects all browsers (except very simple ones like Lynx) was not discovered sooner. Proof-of-concept would be nice, but I do realize that it is a major problem that should be given time to be fixed before releasing details.

Mark Kerzner said...

Cool - saw it on zdnet, http://blogs.zdnet.com/security/?p=1972.

Anonymous said...

The article pretty clearly states that they are working on proof of concept examples, but I think it's understandable that they would share that information with the vendors prior to releasing it to the general public. That's specifically what Adobe requested that they refrain from doing.

Anonymous said...

i've been doing this for quite a while now and have some information you might be interested in, you'd be surprised with what you can do with this if you haven't already figured it out yourself.

Anonymous said...

ZZZZZooo what? Big deal. So you head traffic off somewhere else!? It's easy to do that to a computer user without building up FUD like this.

Non event.

B. said...

As I understand this technique, it is a creative Social Engineering attack. A weakness in the Browser UI allows one to fool the user. It reminds me another Social Engineering attack a few years ago when you could set the Yes/No dialog to show Yes/Yes.

I understand that Social Engineering can lead to a serious result but it is not similar to the recent DNS vuln. in its severity.

As today's compromised sites are injected with malicious scripts, it will be a challenge to find a trusted compromised sited taking advantage of this method and cause a real damage. I can understand how a phishing site benefits from it.

B. said...

can 'help' in Ads click fraud. Let users click on your Ads while they think they click on something else ...

brent said...

well i'm certainly not going to lay out the advantages of using a script like this for the entire internet to see, but the real power of using something like this is easily overlooked by many people. it's probably best that it stays that way as well.

Broderick Noonan said...

I'm kind of disappointed that you bowed to a manufacturer's request to not publicize this widely, and at the conference.

yehg said...

There is a universal rule: Browsers will always be vulnerable.

Exploits may be there but unpublished.

Isaac said...

What's the latest on clickjacking? I have to do a research paper on this topic and show code and such. Is there any up-to-date information on this or a place where I can go to get a pretty comprehensive understanding on clickjacking?

Anonymous said...

hi:

I had read the article about 'clickjacking', and you had mentioned that "the only fix is to disable browser scripting and plugins".
Would you please tell me how to "disable browser scripting and plugins"?
Thanks a lot!

Mary

Jacob said...

nice article

Kish said...

Proof of concept here

http://www.planb-security.net/notclickjacking/iframetrick.html

Anonymous said...

Thanks for this nice info, it's really useful on my internet learning.

regards,
Jeff

David said...

Nice article.

acheter kamagra said...

Il ya une règle universelle: Navigateurs sera toujours vulnérable.
Exploits peut être là, mais non publiées.

chord said...

This is a great article thanks for sharing this informative information