Clickjacking is a relatively new Web exploit that has gained some additional attention in recent days thanks to Microsoft’s IE8 browser.
One of the features in the IE 8 Release Candidate 1 includes technology that is supposed to help prevent Clickjacking.
The claim has one of the principal discovers of Clickjacking raising some questions over the problem and how to prevent it with browsers.
Although Clickjacking attacks have not yet been widely reported in the wild, the attack vector represents an area of risk for Web security. With Clickjacking, a user inadvertently clicks on a hidden item when they think they are actually clicking on a legitimate button. The IE 8 Clickjacking protection uses an approach that is intended to prevent a hidden button from appearing inside of a Frame element on a Web page.
“It’s incremental,” Jeremiah Grossman, founder of WhiteHat Security, told InternetNews.com. “While the feature provides Web developers a javascript-less opt-in option, unfortunately users have no way to defend themselves. The solution also isn’t cross-platform at this point.”
Grossman is credited as one of the researchers who discovered the Clickjacking attack vector. In November, he co-hosted a Black Hat webinar with Microsoft Program Manager Eric Lawrence on the topic of Clickjacking. According to Grossman, after the conference, and several conversations with the IE Security team, he felt that Microsoft’s team had a solid understanding of Clickjacking.
“From that point it was up to them to figure out safeguards,” Grossman said.
Microsoft’s Lawrence posted a blog entry on Tuesday, which described how IE 8 implements safeguards against Clickjacking.
The core of IE 8’s Clickjacking protection focuses on enabling Web developers to specify and restrict which content on their site can’t be broken out and framed by another site. It’s a technique known as frame-busting and can also be implemented by developers using javascript code on their sites that restrict frame usage. The IE 8 approach is a different method for frame busting.
“Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed,” Lawrence blogged. “If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame.”
The general idea is that if Web site developers block their content from being framed by another site, it cannot be used as part of a clickjacking attack. A Clickjacker could potentially take a login element from one site and hide it under a different element on a different site.
A feature for all browsers?
In Grossman’s view, anti-clickjacking approaches should be a standing browser feature, despite some hurdles that may present.
“The challenge here for the browser vendors isn’t so much the motivation to do something about clickjacking, but more trying to figure out what exactly TO do,” Grossman argued.
“It’s an extremely difficult problem to solve effectively. The Firefox plugin NoScript has shown powerful security features are possible to add, however it’s unclear if the non-power user populace will embrace some additional inconvenience for security.”
NoScript is a Mozilla Firefox add-on that can prevent scripts from loading. NoScript also provides protection against frame-based attacks with a technology called ClearClick that developers claim can help identify potential Clickjacking attempts.
NoScript developer Giorgio Maone argued in a blog post that neither NoScript nor Firefox necessarily need the X-FRAME-OPTIONS approach used by IE 8 to prevent frame based clickjacking.
“Traditional JavaScript-based frame busting works fine in Firefox, giving it the same degree of (modest) “protection” as IE8,” Maone wrote. “NoScript users, on the other hand, are already fully protected, because ClearClick is the one and only countermeasure which works against any type of Clickjacking (frame or embed based), no matter if Web sites cooperate or not.”
Maone also argued that NoScript can be recommended to anyone, “even to grandma,” in order to provide a safe browsing experience.
Clickjacking awareness appears to be growing. Thanks to Grossman’s efforts, Adobe fixed a clickjacking flaw in its Flash software in October.
“While the attack remains theoretically possible, additional [problems] have been showing up; however I know of no malicious users of the technique yet in the wild,” Grossman said. “It would be hard to detect though if they were being used.”
