Paul Stone is an information security consultant with Context Information Security in the U.K. He is scheduled to talk today at the Black Hat Europe 2010 conference about "next generation clickjacking", according to the conference's "briefings" page.
Clickjacking is a type of cyber attack that has first been demonstrated two years ago by Robert "RSnake" Hansen and Jeremiah Grossman. The term refers to when an attacker invisibly slips a malicious link into a Web page, hiding it behind a button, for instance, usually in an iFrame. When the user clicks on the link or even only hovers his mouse over it, he becomes infected by whatever the attacker put there. It can be used in various means like gathering sensitive information or for text-injection. Browser vendors have responded to the threat since it has been disclosed, and Internet Explorer 8, among others, has a feature mitigating clickjacking.
However, according to Stone, "most sites aren't protected against it. And people don't realize how it works." This may be in part because clickjacking has mostly been considered a limited attack vector, especially when compared to attacks such as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery). In classic clickjacking attack scenarios, that is true. But there are extended possibilities.
So Stone's talk today is not only about how existing, known attacks work, but a lot about what more is possible and how it can be dangerous to users:
"The presentation will explore further ways in which a user can be tricked into interacting with a victim site and how these can lead to attacks such as injecting data into an application (bypassing all current CSRF protections) and the extraction of data from websites without the user's knowledge." He also maintains that he is able to steal information from Websites that are not even vulnerable to XSS or CSRF. His demonstration will show hacking techniques that work on all four major browsers (Internet Explorer, Firefox, Safari and Chrome) and "which can be used to take full control of a web application."
In addition, Stone would not disclose the details of his work, but says he is "not using actual vulnerabilities in browsers: [he is] just using the way they work against them." He also warns that existing mitigation techniques actually do not provide reliable protection, and he will show a simple tool to easily create actual, working attacks that at the same time "will highlight the need for improved Clickjacking defences in both browsers and web applications." The new tool "allows for easy point-and-click creation of multi-step Clickjacking attacks on any web application, by visually selecting the links, buttons, fields and data to be targeted," according to Stone. If advanced clickjacking actually is as easy to perform as Paul Stone seems to think, we may be in for yet another source of trouble.
Finally, the free Clickjacking Tool should be available on Context Information Security's Web site later today.
|
