Abstract
Web applications use trustworthy events consciously triggered by a human user (e.g., a left mouse click) to authorize security-critical changes. Clickjacking and UI redressing (UIR) attacks trick the user into triggering a trustworthy event unconsciously. A formal model of Clickjacking was described by Huang et al. and was later adopted by the W3C UI safety specification. This formalization did not cover the target of these attacks, the trustworthy events.
We provide the first extensive investigation on this topic and show that the concept is not completely understood in current browser implementations. We show major differences between widely-used browser families, even to the extent that the concept of trustworthy events itself becomes unrecognizable. We also show that the concept of trusted events as defined by the W3C is somehow orthogonal to trustworthy events, and may lead to confusion in understanding the security implications of both concepts. Based on these investigations, we were able to circumvent the concept of trusted events, introduce three new UIR attack variants, and minimize their visibility.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aboukhadijeh, F.: Spy on the webcams of your website visitors, October 2011. http://feross.org/webcam-spy/
Aharonovsky, G.: Malicious camera spying using clickjacking, October 2008. http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/
Akhawe, D., He, W., Li, Z., Moazzezi, R., Song, D.: Clickjacking revisited: a perceptual view of UI security. In: 8th USENIX Workshop on Offensive Technologies (WOOT 2014). USENIX Association, San Diego, August 2014. https://www.usenix.org/conference/woot14/workshop-program/presentation/akhawe
Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 135–144. ACM, New York (2010). https://doi.org/10.1145/1755688.1755706
Barth, A.: The Web Origin Concept. IETF, RFC 6454, December 2011. http://tools.ietf.org/html/rfc6454, http://tools.ietf.org/html/rfc6454
Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the android user interface. In: IEEE Symposium on Security and Privacy. Department of Computer Science, University of California, Santa Barbara (2015)
Bordi, E.: Cursorjacking proof of concept. http://static.vulnerability.fr/noscript-cursorjacking.html (August 2010)
Braun, F., Heiderich, M.: X-Frame-Options: All about Clickjacking? (2013) https://cure53.de/xfo-clickjacking.pdf
Fratantonio, Y., Qian, C., Chung, S., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2017
Hansen, R., Grossman, J.: Clickjacking attack, December 2008. http://www.sectheory.com/clickjacking.htm
Help, G.C.: Allow or block content settings for certain sites, March 2017. https://support.google.com/chrome/answer/3123708?hl=en
Huang, L.S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 413–428. USENIX, Bellevue (2012). https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/huang
Kacmarcik, G., Leithead, T.: UI events - W3C working draft, August 2016. https://www.w3.org/TR/uievents/
Kaminsky, D., Huang, D.L.S., Maone, G.: W3C - user interface security and the visibility API, June 2016. https://www.w3.org/TR/UISecurity/
Kotowicz, K.: Cursorjacking again, January 2012. http://blog.kotowicz.net/2012/01/cursorjacking-again.html
Lawrence, E.: Combating clickjacking with x-frame-options, March 2010. http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
Lekies, S., Heiderich, M., Appelt, D., Holz, T.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: Presented as Part of the 6th USENIX Workshop on Offensive Technologies. USENIX, Berkeley (2012). https://www.usenix.org/conference/woot12/workshop-program/presentation/Lekies
Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: USENIX Workshop on Offensive Technologies (WOOT 2012) (2012)
Lin, C.C., Li, H., Zhou, X., Wang, X.: Screenmilker: how to milk your android screen for secrets. In: Network and Distributed System Security (NDSS) Symposium 2014 (2014)
Maone, G., Huang, D.L.S., Gondrom, T., Hill, B.: W3C - user interface security directives for content security policy, June 2014. https://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.html
Mayer, A., Niemietz, M., Mladenov, V., Schwenk, J.: Guardians of the clouds: when identity providers fail. In: The ACM Cloud Computing Security Workshop, CCSW 2014 (2014)
Microsoft: How to use security zones in internet explorer, June 2012. https://support.microsoft.com/en-us/help/174360/how-to-use-security-zones-in-internet-explorer
Needham, K.: The future of developing firefox add-ons, August 2015. https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/
Network, M.D.: Event.istrusted, February 2017. https://developer.mozilla.org/en-US/docs/Web/API/Event/isTrusted
Network, M.D.: Web apis - document.execcommand(), January 2017. https://developer.mozilla.org/de/docs/Web/API/Document/execCommand
Niemietz, M.: Clickjacking und UI-Redressing - Vom Klick-Betrug zum Datenklau: Ein Leitfaden für Sicherheitsexperten und Webentwickler. dpunkt-Verlag (2012)
Niemietz, M.: UI Redressing: Attacks and Countermeasures Revisited. In: CONFidence, May 2011
Niemietz, M., Schwenk, J.: UI Redressing Attacks on Android Devices, December 2012. https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf
Niemietz, M., Schwenk, J.: Owning your home network: router security revisited. In: Web 2.0 Security & Privacy 2015, San Jose (2015). http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_9.pdf
Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H., Cowan, C.: User-driven access control: Rethinking permission granting in modern operating systems. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 224–238, May 2012
Ruderman, J.: The same origin policy (2008). http://www-archive.mozilla.org/projects/security/components/same-origin.html
Rydstedt, G., Bursztein, E., Boneh, D.: Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization. In: in USENIX Workshop on Offensive Technologies (wOOt 2010) (2010). http://seclab.stanford.edu/websec/framebusting/tapjacking.pdf
Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010) (2010). http://seclab.stanford.edu/websec/framebusting/framebust.pdf
Sherman, I.: Making form-filling faster, easier and smarter, January 2012. https://webmasters.googleblog.com/2012/01/making-form-filling-faster-easier-and.html
Sophos: Facebook worm - “likejacking”, May 2010. http://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/
Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 921–930. ACM, New York (2010). https://doi.org/10.1145/1772690.1772784
Steen, H.R.M.: W3C - clipboard API and events, December 2016. https://www.w3.org/TR/clipboard-apis/
Stone, P.: Next generation clickjacking - new attacks against framed web pages, April 2010. https://www.contextis.com/documents/5/Context-Clickjacking_white_paper.pdf
W3C: W3C DOM4: Dom event istrusted, November 2015. https://www.w3.org/TR/dom/
W3C: UI events, January 2016. https://w3c.github.io/uievents/
WHATWG: Html, living standard - drag and drop, November 2013. http://www.whatwg.org/specs/web-apps/current-work/multipage/dnd.html#dnd
WHATWG: form control infrastructure, July 2017. https://html.spec.whatwg.org/multipage/form-control-infrastructure.html
Zalewski, M.: Strokejacking, June 2010. http://lcamtuf.blogspot.de/2010/06/curse-of-inverse-strokejacking.html
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Niemietz, M., Schwenk, J. (2018). Out of the Dark: UI Redressing and Trustworthy Events. In: Capkun, S., Chow, S. (eds) Cryptology and Network Security. CANS 2017. Lecture Notes in Computer Science(), vol 11261. Springer, Cham. https://doi.org/10.1007/978-3-030-02641-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-02641-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-02640-0
Online ISBN: 978-3-030-02641-7
eBook Packages: Computer ScienceComputer Science (R0)