WSV E2: The Sneaky Attack: Clickjacking
Introduction and how Clickjacking Works
In May 2022, Security Affairs wrote an article on a security researcher, h4x0r_dz, discovered an unpatched flaw in PayPal that could allow attackers to steal money from users’ accounts. The attack exploits a vulnerability in the PayPal endpoint “www.paypal[.]com/agreements/approve," which was intended for billing agreements. The flaw allows attackers to bypass token verification and trick users into completing unauthorized transactions through clickjacking.
Clickjacking, also known as a “UI redress attack,” is explained by PortSwigger as an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website. In essence, it’s a way of “hijacking” the user’s click for malicious purposes, hence the name clickjacking.
How does it work:
- HTML frames or iframes allow web pages to be displayed within other web pages. Iframes are essentially frames within frames, enabling the embedding of content from other sources onto webpages.
- This functionality can lead to clickjacking, where attackers cover the original web page with a hidden layer containing its own JavaScript and UI elements. The attack usually involves hiding a legitimate webpage or clickable element (such as a button or link) underneath an invisible or opaque element on the screen.
- Users may not suspect anything wrong as the outward appearance of the web page remains unchanged. The user believes they are clicking on one thing, but they are actually interacting with something entirely different.
- The hidden UI allows the attacker’s script to take precedence, working behind the scenes to give the appearance that nothing is amiss.
This hidden action could be something dangerous, like:
- Liking or sharing content on social media without the user’s knowledge.
- Initiating a money transfer or performing an online transaction.
- Changing security settings on a website.
For example, imagine a “Play” button on a video player that, when clicked, actually triggers a hidden “Buy Now” button for an expensive product or service. The user clicks with one intent but is tricked into performing a completely different action.
Types of Clickjacking
Imperva states that there are several variations of clickjacking, such as:
- Basic Clickjacking: This is the most straightforward form, where users click on a hidden or disguised element.
- Cursorjacking: In this version, the user’s cursor is manipulated to appear in a different place than it actually is. The user thinks they are clicking on one spot, but the actual click happens somewhere else. Cursorjacking relies on vulnerabilities in Flash and the Firefox browser, which have now been fixed.
- Likejacking: Common on social media, this tricks users into “liking” a post or page without realizing it.
Real-World Consequences
Clickjacking can lead to significant harm based on the type of hidden action the attacker wants to achieve. For example, it can be used to:
- Steal sensitive information: By tricking users into revealing personal data.
- Spread malware: Users unknowingly install malicious software when they click.
- Hijack user accounts: Attackers might trick users into making unwanted account changes or giving access to sensitive platforms.
Preventing Clickjacking
Website owners can take steps to prevent clickjacking attacks:
- X-Frame-Options Header: The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a
<frame>, <iframe>, <embed>
or <object>. Setting this header prevents the website from being embedded in an<iframe >
on another site, which is a common technique used in clickjacking. - Content Security Policy (CSP): Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. CSP can prevent clickjacking by specifying which sources of content are allowed to frame a page.
Users, too, can protect themselves by:
- Using updated browsers: Modern browsers have built-in protections against clickjacking attacks. Always update your browsers!
- Enabling browser extensions: Some browser add-ons block websites from embedding harmful iframes.
Conclusion
Clickjacking is a deceitful attack that exploits a user’s clicks for malicious intent. It has the potential to cause significant security vulnerabilities, but both website developers and users have the ability to defend against it. It is important to exercise caution when engaging with unfamiliar websites, and make sure to utilize current security measures to shield against these kinds of risks.
References
You can read up more on this in the articles below!
- https://www.kaspersky.com/resource-center/definitions/clickjacking
- https://portswigger.net/web-security/clickjacking
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- https://www.imperva.com/learn/application-security/clickjacking/
- https://www.indusface.com/blog/what-are-clickjacking-attacks-tips-to-prevent-them/
- https://securityaffairs.com/131569/hacking/paypal-clickjacking-attack.html