Clickjacking is a relatively new Web exploit that has gained some additional attention in recent days thanks to Microsoft’s IE8 browser.
One of the features in the IE 8 Release Candidate 1 includes technology that is supposed to help prevent Clickjacking.
The claim has one of the principal discovers of Clickjacking raising some questions over the problem and how to prevent it with browsers.
Although Clickjacking attacks have not yet been widely reported in the wild, the attack vector represents an area of risk for Web security. With Clickjacking, a user inadvertently clicks on a hidden item when they think they are actually clicking on a legitimate button. The IE 8 Clickjacking protection uses an approach that is intended to prevent a hidden button from appearing inside of a Frame element on a Web page.
Grossman is credited as one of the researchers who discovered the Clickjacking attack vector. In November, he co-hosted a Black Hat webinar with Microsoft Program Manager Eric Lawrence on the topic of Clickjacking. According to Grossman, after the conference, and several conversations with the IE Security team, he felt that Microsoft’s team had a solid understanding of Clickjacking.
“From that point it was up to them to figure out safeguards,” Grossman said.
Microsoft’s Lawrence posted a blog entry on Tuesday, which described how IE 8 implements safeguards against Clickjacking.
“Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed,” Lawrence blogged. “If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame.”
The general idea is that if Web site developers block their content from being framed by another site, it cannot be used as part of a clickjacking attack. A Clickjacker could potentially take a login element from one site and hide it under a different element on a different site.
A feature for all browsers?
In Grossman’s view, anti-clickjacking approaches should be a standing browser feature, despite some hurdles that may present.
“The challenge here for the browser vendors isn’t so much the motivation to do something about clickjacking, but more trying to figure out what exactly TO do,” Grossman argued.
“It’s an extremely difficult problem to solve effectively. The Firefox plugin NoScript has shown powerful security features are possible to add, however it’s unclear if the non-power user populace will embrace some additional inconvenience for security.”
NoScript is a Mozilla Firefox add-on that can prevent scripts from loading. NoScript also provides protection against frame-based attacks with a technology called ClearClick that developers claim can help identify potential Clickjacking attempts.
NoScript developer Giorgio Maone argued in a blog post that neither NoScript nor Firefox necessarily need the X-FRAME-OPTIONS approach used by IE 8 to prevent frame based clickjacking.
Maone also argued that NoScript can be recommended to anyone, “even to grandma,” in order to provide a safe browsing experience.
Clickjacking awareness appears to be growing. Thanks to Grossman’s efforts, Adobe fixed a clickjacking flaw in its Flash software in October.
“While the attack remains theoretically possible, additional [problems] have been showing up; however I know of no malicious users of the technique yet in the wild,” Grossman said. “It would be hard to detect though if they were being used.”