Monday, October 6, 2008

Fun with Click and Jack

Clickjacking - a relatively new trick that can potentially be used for malicious purposes under any browser/OS platform.

There is not much known yet on what exactly has been discovered by Robert Hansen and Jeremiah Grossman, as they pulled their presentation from OWASP AppSec NY 2008 "due to vendor request". As a result, many researchers started playing around with the proof-of-concept code, and came up with some really interesting demos.

To explain the concept of clickjacking, it could be helpful to recall one of the memorable episodes from the movie "Fun with Dick and Jane" (2005):

Dick Harper: I don't care... I don't care. I'm not walking out of this bank empty-handed.
Jack McCallister: ...Alright. Alright, Dick, I'm gonna write you a check... So, here you go. Just a little something to show you what I think you're worth [hands him a check for $100]

All Dick Harper needed was to get McCallister's signature. His wife, Jane Harper, was then able to forge it. While Jack McCallister was tricked by Dick Harper to sign a document that had no value to him, his signature was "hijacked" to sign a different document (worth millions of dollars).

Clickjacking is based on a similar principle: to convince the end user to provide information that does not seem to have any value to the user, but factually has power over the user's assets or ID, if applied in a particular context.

One such possible scenario is outlined below.

When user has an active online banking session, any particular transaction means particular controls clicked in a particular order. An attacker can make a guess that his victim is currently logged on, and thus, sends an instant message to the victim with an invitation to click a link to the attacker's own website.

The forged website will try to conceal the online banking website (with the victim currently logged on as the previous session was not terminated) inside an invisible frame, as shown on the picture below:

Any clicks submitted by the victim to the forged website will eventually be handled by the transparent (but still active) frame. In the example above, the victim may unintentionally add a new login name to his/her account that could now be used by the attacker.

So far, the danger of clickjacking remains purely hypothetical and there are no confirmed cases of malicious clickjacking “in-the-wild”.

Nevertheless, until transparent frames are treated as a feature (not a bug), it’s worth keeping in mind that there are potential ways of compromising users without implanting malicious code.