Skip to main content
SpringerLink
Log in

Out of the Dark: UI Redressing and Trustworthy Events

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11261))

Included in the following conference series:

Abstract

Web applications use trustworthy events consciously triggered by a human user (e.g., a left mouse click) to authorize security-critical changes. Clickjacking and UI redressing (UIR) attacks trick the user into triggering a trustworthy event unconsciously. A formal model of Clickjacking was described by Huang et al. and was later adopted by the W3C UI safety specification. This formalization did not cover the target of these attacks, the trustworthy events.

We provide the first extensive investigation on this topic and show that the concept is not completely understood in current browser implementations. We show major differences between widely-used browser families, even to the extent that the concept of trustworthy events itself becomes unrecognizable. We also show that the concept of trusted events as defined by the W3C is somehow orthogonal to trustworthy events, and may lead to confusion in understanding the security implications of both concepts. Based on these investigations, we were able to circumvent the concept of trusted events, introduce three new UIR attack variants, and minimize their visibility.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.humanbenchmark.com/tests/reactiontime/statistics.

References

  1. Aboukhadijeh, F.: Spy on the webcams of your website visitors, October 2011. http://feross.org/webcam-spy/

  2. Aharonovsky, G.: Malicious camera spying using clickjacking, October 2008. http://blog.guya.net/2008/10/07/malicious-camera-spying-using-clickjacking/

  3. Akhawe, D., He, W., Li, Z., Moazzezi, R., Song, D.: Clickjacking revisited: a perceptual view of UI security. In: 8th USENIX Workshop on Offensive Technologies (WOOT 2014). USENIX Association, San Diego, August 2014. https://www.usenix.org/conference/woot14/workshop-program/presentation/akhawe

  4. Balduzzi, M., Egele, M., Kirda, E., Balzarotti, D., Kruegel, C.: A solution for the automated detection of clickjacking attacks. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 135–144. ACM, New York (2010). https://doi.org/10.1145/1755688.1755706

  5. Barth, A.: The Web Origin Concept. IETF, RFC 6454, December 2011. http://tools.ietf.org/html/rfc6454, http://tools.ietf.org/html/rfc6454

  6. Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the android user interface. In: IEEE Symposium on Security and Privacy. Department of Computer Science, University of California, Santa Barbara (2015)

    Google Scholar 

  7. Bordi, E.: Cursorjacking proof of concept. http://static.vulnerability.fr/noscript-cursorjacking.html (August 2010)

  8. Braun, F., Heiderich, M.: X-Frame-Options: All about Clickjacking? (2013) https://cure53.de/xfo-clickjacking.pdf

  9. Fratantonio, Y., Qian, C., Chung, S., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: Proceedings of the IEEE Symposium on Security and Privacy (Oakland), San Jose, CA, May 2017

    Google Scholar 

  10. Hansen, R., Grossman, J.: Clickjacking attack, December 2008. http://www.sectheory.com/clickjacking.htm

  11. Help, G.C.: Allow or block content settings for certain sites, March 2017. https://support.google.com/chrome/answer/3123708?hl=en

  12. Huang, L.S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: attacks and defenses. In: Presented as part of the 21st USENIX Security Symposium (USENIX Security 2012), pp. 413–428. USENIX, Bellevue (2012). https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/huang

  13. Kacmarcik, G., Leithead, T.: UI events - W3C working draft, August 2016. https://www.w3.org/TR/uievents/

  14. Kaminsky, D., Huang, D.L.S., Maone, G.: W3C - user interface security and the visibility API, June 2016. https://www.w3.org/TR/UISecurity/

  15. Kotowicz, K.: Cursorjacking again, January 2012. http://blog.kotowicz.net/2012/01/cursorjacking-again.html

  16. Lawrence, E.: Combating clickjacking with x-frame-options, March 2010. http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx

  17. Lekies, S., Heiderich, M., Appelt, D., Holz, T.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: Presented as Part of the 6th USENIX Workshop on Offensive Technologies. USENIX, Berkeley (2012). https://www.usenix.org/conference/woot12/workshop-program/presentation/Lekies

  18. Lekies, S., Heiderich, M., Appelt, D., Holz, T., Johns, M.: On the fragility and limitations of current browser-provided clickjacking protection schemes. In: USENIX Workshop on Offensive Technologies (WOOT 2012) (2012)

    Google Scholar 

  19. Lin, C.C., Li, H., Zhou, X., Wang, X.: Screenmilker: how to milk your android screen for secrets. In: Network and Distributed System Security (NDSS) Symposium 2014 (2014)

    Google Scholar 

  20. Maone, G., Huang, D.L.S., Gondrom, T., Hill, B.: W3C - user interface security directives for content security policy, June 2014. https://dvcs.w3.org/hg/user-interface-safety/raw-file/tip/user-interface-safety.html

  21. Mayer, A., Niemietz, M., Mladenov, V., Schwenk, J.: Guardians of the clouds: when identity providers fail. In: The ACM Cloud Computing Security Workshop, CCSW 2014 (2014)

    Google Scholar 

  22. Microsoft: How to use security zones in internet explorer, June 2012. https://support.microsoft.com/en-us/help/174360/how-to-use-security-zones-in-internet-explorer

  23. Needham, K.: The future of developing firefox add-ons, August 2015. https://blog.mozilla.org/addons/2015/08/21/the-future-of-developing-firefox-add-ons/

  24. Network, M.D.: Event.istrusted, February 2017. https://developer.mozilla.org/en-US/docs/Web/API/Event/isTrusted

  25. Network, M.D.: Web apis - document.execcommand(), January 2017. https://developer.mozilla.org/de/docs/Web/API/Document/execCommand

  26. Niemietz, M.: Clickjacking und UI-Redressing - Vom Klick-Betrug zum Datenklau: Ein Leitfaden für Sicherheitsexperten und Webentwickler. dpunkt-Verlag (2012)

    Google Scholar 

  27. Niemietz, M.: UI Redressing: Attacks and Countermeasures Revisited. In: CONFidence, May 2011

    Google Scholar 

  28. Niemietz, M., Schwenk, J.: UI Redressing Attacks on Android Devices, December 2012. https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf

  29. Niemietz, M., Schwenk, J.: Owning your home network: router security revisited. In: Web 2.0 Security & Privacy 2015, San Jose (2015). http://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_9.pdf

  30. Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H., Cowan, C.: User-driven access control: Rethinking permission granting in modern operating systems. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 224–238, May 2012

    Google Scholar 

  31. Ruderman, J.: The same origin policy (2008). http://www-archive.mozilla.org/projects/security/components/same-origin.html

  32. Rydstedt, G., Bursztein, E., Boneh, D.: Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization. In: in USENIX Workshop on Offensive Technologies (wOOt 2010) (2010). http://seclab.stanford.edu/websec/framebusting/tapjacking.pdf

  33. Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. In: IEEE Oakland Web 2.0 Security and Privacy (W2SP 2010) (2010). http://seclab.stanford.edu/websec/framebusting/framebust.pdf

  34. Sherman, I.: Making form-filling faster, easier and smarter, January 2012. https://webmasters.googleblog.com/2012/01/making-form-filling-faster-easier-and.html

  35. Sophos: Facebook worm - “likejacking”, May 2010. http://nakedsecurity.sophos.com/2010/05/31/facebook-likejacking-worm/

  36. Stamm, S., Sterne, B., Markham, G.: Reining in the web with content security policy. In: Proceedings of the 19th International Conference on World Wide Web, WWW 2010, pp. 921–930. ACM, New York (2010). https://doi.org/10.1145/1772690.1772784

  37. Steen, H.R.M.: W3C - clipboard API and events, December 2016. https://www.w3.org/TR/clipboard-apis/

  38. Stone, P.: Next generation clickjacking - new attacks against framed web pages, April 2010. https://www.contextis.com/documents/5/Context-Clickjacking_white_paper.pdf

  39. W3C: W3C DOM4: Dom event istrusted, November 2015. https://www.w3.org/TR/dom/

  40. W3C: UI events, January 2016. https://w3c.github.io/uievents/

  41. WHATWG: Html, living standard - drag and drop, November 2013. http://www.whatwg.org/specs/web-apps/current-work/multipage/dnd.html#dnd

  42. WHATWG: form control infrastructure, July 2017. https://html.spec.whatwg.org/multipage/form-control-infrastructure.html

  43. Zalewski, M.: Strokejacking, June 2010. http://lcamtuf.blogspot.de/2010/06/curse-of-inverse-strokejacking.html

Download references

Author information

Authors and Affiliations

  1. Chair for Network and Data Security, Horst Görtz Institute for IT Security, Ruhr-University Bochum, Bochum, Germany

    Marcus Niemietz & Jörg Schwenk

Authors
  1. Marcus Niemietz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Marcus Niemietz .

Editor information

Editors and Affiliations

  1. ETH Zürich, Zürich, Switzerland

    Srdjan Capkun

  2. Chinese University of Hong Kong, Shatin, Hong Kong

    Sherman S. M. Chow

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Niemietz, M., Schwenk, J. (2018). Out of the Dark: UI Redressing and Trustworthy Events. In: Capkun, S., Chow, S. (eds) Cryptology and Network Security. CANS 2017. Lecture Notes in Computer Science(), vol 11261. Springer, Cham. https://doi.org/10.1007/978-3-030-02641-7_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-02641-7_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-02640-0

  • Online ISBN: 978-3-030-02641-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation