Clickjacking without the click

Demonstrations debuted at this year’s Black Hat Europe conference in Barcelona, Spain have revealed that clickjacking techniques don’t necessarily have to rely on mouse clicks to trick victims into participating in unknown activities. Instead, new clickjacking attacks focus on Java’s drag and drop capabilities. This allows clickjack attackers to steal information from text forms.

Even though these new clickjacking techniques don’t rely on mouse clicks, they still use invisible iFrames to trick internet users. In these instances, however, the invisible frames are placed on top of blank text forms. When a user fills out the form, they are contributing information unknowingly in another frame that they cannot see.

Drag and drop functions even make it possible for clickjacking attacks to steal information from entire sessions, not just individual forms. This presents a serious information security threat to both individuals and organizations who have private passwords, account numbers, and other bits of information that could help criminals commit theft or fraud.

Most recently updated web browsers can prevent invisible frames, but they rely on the website’s X-FRAME-OPTIONS: DENY tag. Websites that don’t include this tag, therefore, don’t offer protection from next generation clickjacking attacks.

Large sites like Facebook and Myspace have committed themselves to included frame busting tags and other security techniques to protect users. The mobile versions of these sites, however, do not usually offer as much protection as the Web versions, so users should be careful when using mobile devices to access their accounts.

You can read a summary of Paul Stone’s Next Generation Clickjacking demo at blackhat.com.

Advertisements
Explore posts in the same categories: Uncategorized

Tags: , , , , , ,

You can comment below, or link to this permanent URL from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: