Clickjacking: Hijacking clicks on the Internet

What if you reached to grab a newspaper out of a news stand and you found a rock in your hand instead? How about opening the front door to a grocery store and ending up on a boat?
This sounds like a Matrix movie, but the virtual equivalent of this is real and poses one of the most serious new risks on the Internet, according to Jeremiah Grossman, chief technology officer and co-founder of Whitehat Security.
"Most exploits (like worms and attacks that take advantage of holes in software) can be patched, but clickjacking is a design flaw in the way the Web is supposed to work," Grossman said. "The bad guy is superimposing an invisible button over something the user wants to click on...It can be any button on any Web page on any Web site."
The technique was used in a series of prank attacks launched on Twitter in February. In that case, users clicked on links next to tweets that said "Don't Click" and then clicked on a button that said "Don't Click" on a separate Web page. That second click distributed the original tweet to all of the Twitter user's followers, thus propagating itself rather quickly.
At the time, Grossman called it a "harmless experiment", but the potential for harm by an attacker who isn't just having fun is huge.
In a demo at the offices of ZDNet Asia's sister site CNET News.com on Thursday, Grossman showed how someone could launch a clickjacking attack using Flash to spy on someone by getting them to turn on their computer Web cam without knowing it.
Like the name suggests, clickjacking is the hijacking of your click, unbeknownst to you. A victim may not even know that the click has been redirected, which means there could be clickjacking attacks going on that no one knows about yet.
Clickjacking attacks are accomplished by creating something called an iFrame that allows a browser window to be split into segments so that different items can be shown on each. This code is inserted into the target Web page and is invisible to the end user. When the end user's cursor clicks on the section of the page where the malicious iFrame is hiding, the attack is launched to do whatever the attacker desires.
An attacker could hide an iFrame under any innocent link on any Web page--a headline on the New York Times or a "digg this" button on Digg, for instance--and when the victim clicks on the link, the cursor is actually clicking on the hidden iFrame.
In the Web cam demo, the iFrame created contains a Flash pop-up window that asks the user to grant permission to have the Web cam turned on. When the victim clicks the link, the Web cam is turned on and secretly begins recording everything the user does in front of the computer.
One of the scariest things about clickjacking is the potential for abuse. An attacker could spy on you by turning on your Web cam or microphone, direct you to a Web page with malicious content that is downloaded onto your computer, or even rig it up so you end up clicking "buy" instead of "cancel" on an e-commerce site.
Another thing that makes clickjacking so serious is that there really is very little that end users can do to protect themselves, Grossman said.
In the Web cam scenario, the best defense is probably to put a post-it note or other item over the Web cam lens and to disable the microphone in the software, he said. Flash Player 10 provides some protection by preventing anything from obscuring the security permissions dialogue box, he said.
Web site owners optimizing their sites for Internet Explorer 8 have the ability to prevent pages from being framed in, which means visitors to their site will be safe, only on that site and only if they are using IE8, Grossman said.
People using Windows and IE should disable JavaScript to help protect against clickjacking, he said. Firefox is safer; the NoScript add-on for Firefox not only lets people selectively block scripts, but it has a ClearClick feature designed specifically to protect against clickjacking, he added.
People should also log out of Web sites, like Facebook and Twitter, when they are done using them for the time being. "You can't be forced to do something on the site if you are not logged in," Grossman said.
More details are in a white paper on the technique, written by Grossman and Robert Hansen of SecTheory and published in September 2008. Grossman and Hansen coined the term in that document.
The authors cancelled their talk on the subject at the OWASP (Open Web Application Security Project) conference that month at Adobe's request because their proof of concept revealed a bug in Adobe's software, according to IDG News Service.