Posted tagged ‘framebusting’

IE Only Offers Some Clickjacking Protection

September 23, 2011

It’s a given that you want to keep yourself safe from clickjacking scams. They’ve been known to cause all kinds of trouble. Not only do they post potentially embarrassing information to your social networking profile, but they can install viruses on your computer that will steal personal information that lets hackers commit identity theft.

You’d expect all Internet browsers to take this threat pretty seriously. After all, who would want to use a browser that exposes you to such a threat?

Unfortunately, though, some browsers are better than others at protecting you from clickjacking threats.

IE 8, for instance, looks for a tag that website designers use to prevent content from loading in frames. By getting rid of the frames, you solve a large part of the clickjacking problem. IE 8, however, relies on the website, not the user. That’s not very helpful for most people. If individual users had the option to say “don’t use any frames,” then they could rely on near-universal protection. When you leave it up to website developers, though, you’ve only offered help for those that don’t need it. If a website chooses to use the no frames tag, then they’re obviously not trying to clickjack visitors. That leaves things wide open for clickjackers that create sites specifically to attract victims.

This is the kind of protection that could actually cause more harm than good.

If nothing else, Internet Explorer should alert users when they have reached a page that does not protect them. Then the user can decide whether he or she wants to proceed. It would also encourage more web designers to include the tags when they build new sites.

Clickjacking without the click

May 25, 2010

Demonstrations debuted at this year’s Black Hat Europe conference in Barcelona, Spain have revealed that clickjacking techniques don’t necessarily have to rely on mouse clicks to trick victims into participating in unknown activities. Instead, new clickjacking attacks focus on Java’s drag and drop capabilities. This allows clickjack attackers to steal information from text forms.

Even though these new clickjacking techniques don’t rely on mouse clicks, they still use invisible iFrames to trick internet users. In these instances, however, the invisible frames are placed on top of blank text forms. When a user fills out the form, they are contributing information unknowingly in another frame that they cannot see.

Drag and drop functions even make it possible for clickjacking attacks to steal information from entire sessions, not just individual forms. This presents a serious information security threat to both individuals and organizations who have private passwords, account numbers, and other bits of information that could help criminals commit theft or fraud.

Most recently updated web browsers can prevent invisible frames, but they rely on the website’s X-FRAME-OPTIONS: DENY tag. Websites that don’t include this tag, therefore, don’t offer protection from next generation clickjacking attacks.

Large sites like Facebook and Myspace have committed themselves to included frame busting tags and other security techniques to protect users. The mobile versions of these sites, however, do not usually offer as much protection as the Web versions, so users should be careful when using mobile devices to access their accounts.

You can read a summary of Paul Stone’s Next Generation Clickjacking demo at blackhat.com.