From IE 8 to Google Chrome, Keep an Eye on Clickjacking

First Microsoft touts clickjacking protections in Internet Explorer 8, then a security researcher releases a proof of concept for a clickjacking attack targeting the Google Chrome Web browser. Clickjacking, some say, remains an issue that will require cooperation in the security community.

Clickjacking is not going away.

The same week Microsoft announced on the 26th Jan. it had put protections against clickjacking in Internet Explorer 8, security researcher Aditya Sood posted on BugTraq on the 29th Jan. a new clickjacking advisory for the Google Chrome browser, with a link to a proof of concept.

Officials at Google said they are aware of the issue, which affects Chrome versions 1.0.154.43 and earlier. So far, Google says it has not seen any attempts to exploit this vulnerability in the wild. Though the posted advisory only mentions Google Chrome, there are reports that the same vulnerability affects Mozilla’s Firefox 3.0.5 as well—though this can be mitigated by using the ClearClick anti-clickjacking feature contained in the NoScript plug-in for Firefox.

Internet Explorer 7 does not seem to be affected by Sood’s method.

Still, clickjacking has affected all the major browsers. The technique was publicised in 2008 by security researchers Jeremiah Grossman, CTO of WhiteHat Security, and Robert Hansen. If done successfully, clickjacking can trick users into clicking on links without their knowledge and effectively circumvents cross-site request forgery protections that attempt to confirm transactions with the user.

In Sood’s proof of concept, available here, users click on what appears to be a link to Yahoo.com, but actually directs them to a site about cross-site scripting. Sood wrote:

A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The user thinks he is clicking the visible buttons, while he/she is actually performing actions on the hidden page.

The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.

While Sood’s post focused on Google Chrome, a Google spokesperson was quick to point out that clickjacking is a larger issue that affects all Web browsers.

“The issue is tied to the way the Web and Web pages were designed to work, and there is no simple fix for any particular browser,” the spokesperson said. “We are working with other stakeholders to come up with a standardised long-term mitigation approach.”

Although Microsoft put protection against clickjacking in the release candidate for Internet Explorer 8, critics contend that Microsoft’s IE 8 RC 1 clickjacking solution is only a sticking plaster.

“While it’s positive that Microsoft has chosen to do something to safeguard against clickjacking, the new security feature offers very limited protections,” Grossman said. “Web site owners can do more to protect their visitors, but unfortunately the average Web citizen still has no way to defend themselves on their own. So most experts will agree the anti-clickjacking feature will do little to stem the near-term risk.”

Grossman suggested browser vendors consider bundling in the NoScript Firefox plug-in by default.

“NoScript has powerful security features that can prevent clickjacking as well as many other Web-based attacks, which also allows users to tune their own level of desired security,” he added. “For Internet Explorer, Opera, Google Chrome, etc., they should embed similar features and functionality in their products.”

Johnathan Nightingale, a security researcher for Mozilla, said Mozilla’s efforts around preventing clickjacking have been more focused on comprehensive solutions like its Content Security Policy proposal and implementing the Origin header to thwart cross-site request forgery attacks.

“We’ve discussed these publicly with other browser makers and the broader Web security community to ensure that we are helping them prevent the attacks they’re concerned about, and to benefit from their experience,” Nightingale said. “Changing the way we do security on the Internet needs to be a group effort, and we’d welcome the participation of the IE team in that work.”