Tuesday, October 07, 2008

Clickjacking: Web pages can see and hear you

Web pages know what websites you’ve been to (without JS), where you’re logged-in, what you watch on YouTube, and now they can literally “see” and “hear” you (via Clickjacking + Adobe Flash). Separate from the several technical details on how to accomplish this feat, that’s the big secret Robert “RSnake” Hansen and myself weren’t able to reveal at the OWASP conference at Adobe’s request. So if you’ve noticed a curious post-it note over a few of the WhiteHat employee machines, that’s why. The rest of clickjacking details, which includes iframing buttons from different websites, we’ve already spoken about with people taking note.

Predictably several people did manage to uncovered much of what we had withheld on their own, whom thankfully kept it to themselves after verifying it with us privately. We really appreciated that they did because it gave Adobe more time. Today though much of the remaining undisclosed details we’re publicly revealed and Adobe issued an advisory in response. Let’s be clear though, the responsibility of solving clickjacking does not rest solely at the feet of Adobe as there is a ton of moving parts to consider. Everyone including browser vendors, Adobe (plus other plug-in vendors), website owners (framebusting code) and web users (NoScript) all need their own solutions to assist incase the other don’t do enough or anything at all.

The bad news is with clickjacking any computer with a microphone and/or a web camera attached can be invisibly coaxed in to being a remote surveillance device. That’s a lot of computers and single click is all it takes. Couple that with clickjacking the Flash Player Global Security Settings panel, something few people new even existed, and the attack becomes persistent. Consider what this potentially means for corporate espionage, government spying, celebrity stalking, etc. Email your target a link and there isn’t really anyone you can’t get to and snap a picture of. Not to mention bypassing the standard CSRF token-based defenses. I recorded a quick and dirty clickjacking video demo with my version having motion detection built-in.



Robert and I are currently scheduled to give more or less simultaneous presentations in Asia about clickjacking. For myself, I’ll be delivering a keynote at HiTB 2008 Malaysia (Oct 29) and RSnake will be speaking at OWASP AppSec Asia 2008 (Oct 28). The timing just happened to work out well. The next couple weeks will give us time to put our thoughts in order, explain the issues in a more cohesive fashion, and bring those up to speed who’ve gotten lost in all the press coverage. For those that have been following very closely, you’ll probably not find any meaningful technical nuggets of information that are not already published. Our job now is to make the subject easier to understand and help facilitate solutions to the problem. Unless the browser is secure, not much else is.

Prevention?
Put tape over your camera, disable your microphone, install NoScript, and/or disable your plugins. In the age of YouTube and Flash games, who’s really going to do the latter? For website owners their CSRF token-based defenses can be easily bypassed, unless they add JavaScript framebusting code to their pages, but the best practices are not yet fully vetted. Again, browser behavior is not at all consistent.

What a couple of a weeks this has been. Thank you to Adobe PSIRT for their diligence and hard work.

22 comments:

windexh8er said...

Awesome! So is it only me, or is the Vimeo vid broke? I only see about the first 16 seconds of it, even though it states it's 2:47.

--windexh8er

Jeremiah Grossman said...

wasn't just you, thanks for the heads up. I fixed it.

And if you want to go direct.

http://vimeo.com/1912736

kingthorin said...

Video in the blog post doesn't work. Link in comments currently does.

kingthorin said...

Oh sure, fix it while I post ;)

Cute demo!

John Chaffee said...

When a Clickjacking + Flash event is initiated, is it persistent? Meaning, if you close your browser will the villains still be able to spy on you. What if you open a new browser? Most of what I read implies not but I need a definitive answer. Please help.

Jeremiah Grossman said...

@John> It depends on specifics of the attack. If performed by cam/mic API permissions directly, then as soon as you leave the page or close the browser window then your in the clear. That's my current understanding.

However, prior to Adobe adding framebusting to the "Global Security Settings" pages, you could get persistent permissions to the cam/mic plus a lot more.

John Chaffee said...

Ok, that makes sense. It seems that upgrading to Flash Player 10 will (hopefully) prevent the Clickjacking/Flash event from accessing the cam/mic. We have a lot of content developed using Flash 8/9. If our users update their Flash player to version 10, can we continue to use the existing content or will we need to rebuild it using Flash 10 to protect our users?

Jeremiah Grossman said...

@John, to prevent cam/mic hijacking, only the user will need to upgrade to Flash 10. Who knows when or how fast that'll happen. For those developing or already have Flash content built, just as long as it still works in Flash 10 is enough. Nothing further would likely need to be done to prevent clickjacking.

John Chaffee said...

Thank you very much for you hard work on this and the information you provided. It has helped me a greate deal in answering some of the questions management has for me.

Anonymous said...

Thanks for the demo!!! Can you elaborate on, "....you could get persistent permissions to the cam/mic plus a lot more." Where you able to retrieve information from the host?

--salwright

Jeremiah Grossman said...

I personally did not, but that doesn't mean it can't be done by someone more well versed in Flash programming. I've only a cursory knowledge of ActionScript. Flash can do a great deal when you turn off its security restrictions.

SEO Services said...

Nice Post. Thanks for sharing.

tecnologiaecomunicacao said...

Jeremiah,

I discovered your blog by chance - in fact by the news - and will add it to the list of security sources I use.

I guess the internet as a whole should thank you for your discovery. I'm afraid this will be like a bomb in the DHTML standards, but better show the problem than let people use and abuse it...

Best Regards,
Phil.

Jeremiah Grossman said...

Thank you Phil, much appreciated.

Land Shark said...

Still, the webcam activity LED (when the camera has one) does lit up. In any case when I'm not using it I leave the camera (like guns) pointing to the floor. That way the only thing they can eavesdrop on is my dog. Or my smelly socks.

Parantar said...

awesome. thanks a lot!

Anonymous said...

I have had a clickjacker infection since August (if not March). Apparently rootkit not detectable by all the databases I have tried (the "required" clicking aspect seems to move the "kit" such that it is not found)Clicking is required on the "normal" windows operations, (endlessly updating adobe player/flash, etc.--I have long since quit clicking on as many boxes or balloons as I can)
Clicking is also required when the cursor goes crazy in the middle of typing and one must click to continue typing.
I see links highlighted under webpages (yeah, my banking page, no more banking) About 500hrs on the phone with Dell, sophos, MS. No fix yet, complete reformats are a problem. Is it possible that a modem/router could be infected? I did infect one computer off my gmail page, another off a commercial wireless installation CD.

Commercial AV no help at all, most say I am not infected since they cannot find the infection however behavior change in mouse cursor is obvious. Browser redirection in google also marked.

Ideas on removal or even how to adequately reformat, reinstall? Reinstall has not been successful to date, although maybe now 2 vista laptops are clean ($1K and 3 pro attempts later) Could infection be BIOS/CMOS resident?
thanks for your input. I have infected computers if someone wants them. I cannot get thing off most of them.

intensecomputing said...

Hey Jeremiah, thanks for a great post. I enjoy reading your site, arrived here through dark reading...

Jes Extender said...

Wow, that was deep! Nice work and research,m8!

Tom said...

Wow... this post was really eye-opening for me. Never even really heard of click-jacking, but will be researching it some more now.
Is there anyway this could hurt my dental practice site?

Jeremiah Grossman said...

@Tom: Unlikely. At the moment clickjacking attacks are more actively used towards social networking sites like facebook.

How To Lose 50 Pounds In 1 Month said...

i an used to that posting a blog but i never heard that technique before thanks for that useful information really it s very significant.I am looking forward to read your next great article... Nice article, thanks.