The Confused Deputy

If you want to blame anyone for clickjacking attacks, then blame the confused deputy. This guy’s been sitting around letting cybercriminals hijack browsers all over the world simply because they say that they have the authority.

Who is this confused deputy? Well, like most things on the internet, he doesn’t really exist in a physical sense. The confused deputy problem is one way of describing why web browsers are susceptible to clickjacking attacks.

The problem is that web browsers are designed to give users the authority to implement certain commands. As an internet user you have the authority, for instance, to delete your emails or open a web page. You do these things by clicking on buttons. This simple method makes it really easy for pretty much anyone in the world, other than your grandparents for some insufferable reason, to access web pages, emails, and various servers. It’s this level of user authority that has made the internet so popular.

Now, lets say that each time you request a command, that request is intercepted by a deputy. It could also be a cop or a department manager or whatever position of authority you are used to dealing with. Every time you tell the deputy, “hey, I’m going to open this page, ok?” the deputy basically says, “well, that seems like a perfectly reasonable command. Go right ahead!”

The confused deputy hears your instructions, but he doesn’t fully understand what you are telling him. Let’s say that you are playing a duck hunt game on a clickjacked page. Clickjacked pages are designed to hide buttons in certain places on the web page. You can’t see them, but they are there.

When you use your mouse to shoot a duck, you say to the deputy, “hey, I’m gonna shoot this thing with my mouse cursor!” And the deputy yells back, “Way to go! Nice shooting!”

Things change when you use your cursor to “shoot” a duck that is over an invisible link. Suddenly, you’re yelling “I’m gonna shoot this thing, ok?” but he hears “hey, I’m clicking on this link, ok?” This misunderstanding can cause all sorts of problems. When the deputy looks at the link that you’ve clicked, he assumes that you know what you’re doing, so he says “you want to click on this link that starts your web cam? You got it good buddy?” Or he might yell back “install this software? Sure thing, pal!”

The problem, of course, is that the deputy never hears you and you never hear the deputy. The confused deputy problem is, therefore, really a miscommunication between the user and the computer. We could just as easily call it the Confused User Problem. Until we find a way of making the communication loud and clear, there is always the possibility that you will fall victim to a clickjack attack.

Advertisements
Explore posts in the same categories: Uncategorized

Tags: , , , ,

You can comment below, or link to this permanent URL from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: