Cenzic 232 Patent
Paid Advertising
web application security lab

Clickjacking

There’s been a bit of drama over the last week or so around the upcoming world OWASP conference in New York. It’s surrounding a talk that Jeremiah and I were planning on doing the first day of the conference. Jeremiah and I have been working on some interesting browser security issues which also effect a lot of downstream people/websites/technologies as well. Sounds like a good talk right? We thought so too!

Alas, it turns out that some of the issues we found weren’t just a little bad - they were a lot bad. So bad, in fact, that we felt compelled to do some responsible disclosure. One issue lead into another issue into another and poof - we have at least two and probably more incoming vendor patches at a yet to-be-determined date. And we’ve only worked with a few vendors. So… yah. It’s pretty bad.

As you may have guessed the first is a browser company, Microsoft (to be expected since it’s a browser issue to begin with). The second is Adobe - who have been working closely with us on this one since we first told them about the problem. We have been working on proof of concept code since before Blackhat and finally got our ducks in a row with real working exploit code a few weeks ago. And that is pretty much when the problems started. None of the issues we found relating to the browser were particularly easy to fix, it turns out.

The related issues we found that affect websites (instead of browsers) is thankfully slightly easier to deal with on a one off basis, but that too is going to be a problem. There are a lot of much easier hacks out there against websites for sure, but what we’ve been working on breaks some previously good security measures. The correct solve will not be patching every web-site on earth. Instead it will likely end up being a browser patch against every major browser. The idea of every webmaster in the world patching their own sites is a non-starter. Although I’m sure lots of people are going to run out and patch their sites rather than wait for the normal browser patch and release cycle for all browsers everywhere. We’ve discussed the high level concern with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solve in sight at the moment.

So, after much deliberation we opted to pull our speech voluntarily, due to the extremely neutered information we’d have to be sharing. We’d much rather share the full breadth of what we found when it can be discussed more openly as to not diminish the danger of the flaw by only talking about small parts of the issue. There will still be holes in many websites due to this problem even after the short term patches are available, but we’d rather a few of the more critical problems get patched before we go public.

However, I must stress, this is not an evil “the man is trying to keep us hackers down” situation, a la Michael Lynn vs. Cisco, or Chris Paget vs. HID, or MIT vs. MBTA and so on. We proactively decided it was better to pull the speech ourselves for the time being and for anyone who was looking forward to the speech all I can say is I hope to make it up to you once the vendors are in a better spot. It wasn’t an easy decision but it really feels like the best option we have given the current situation. If you’re desperate for a way to patch your browser from the issue disable scripting and plugins for the time being. More to come.

51 Responses to “Clickjacking”

  1. Laurent Says:

    Hey.

    I think you did well. I am sure the presentation would have been very clever, terribly entertaining and we would have all learned. Yet again, i feel you did the responsible thing.

    And when everyone will be ready, it will still be entertaining and clever :D

  2. sj Says:

    very nice.

  3. ntp Says:

    you mean Chris Paget?

    the industry has changed in the past 4 years. responsible disclosure is not only the right/trendy thing to do, it also allows you to lie about the severity of your vulnerability finding. how much extra time do you need in order to turn this into “just another offensive-security marketing slide”?

    if you’re really serious, you’d drop some ptacek-style md5sums of a tarball that contained your real work, as it stands today.

    really the best idea would be to stop caring about offensive research and concentrate on working with developers to fix issues 100 percent of the time

  4. RSnake Says:

    @ntp - Thanks for Chris’ name - whoops, typo - updated.

  5. kuza55 Says:

    The term Clickjacking reminds me of all the invisible CSS/iframe overlay stuff, which seems to fit the description here, is that what you were planning to talk about? (Just wondering if I should be bracing myself for something ground-breaking)

  6. kik Says:

    What about minor browsers? I understand the problem, but it means the death of browsers which has already some problems to spread.

    On one hand, if you communicate the issue only to large organizations, all minor browsers will stay compromised for long ; on the other hand, if you communicate with all little browsers developers, you’re sure your finds will be known by everyone.

    You’ve got to choose between definitively establishing the domination of MS, Google and Apple, or to mess up the net. I wouldn’t be in your place :)

  7. zendog Says:

    Nice work all! Responsible disclosure means allowing vendors a time frame to patch and if they don’t after such time then it’s their problem. You guys are doing it right.

  8. Jeremiah Grossman Says:

    @kuzza55, while the “how” is important, it’s the “what” you can do with Clickjacking that sends the issue over the top. “Ground-breaking” is extremely subjective to infosec audiences, what we can say it was important enough to Adobe where they needed more time.

    @kik, Fortunately the work of Adobe will help the major and minor browser vendors in identical fashion. When the major browser vendors do something to prevent Clickjacking, I would think those techniques could be easily copied by the rest.

  9. Patrick Says:

    Thanks for the info - great work.
    Looking forward to hearing the info from you guys once the vendors get some kind of fixes out there.

  10. Spyware Says:

    Heh, currently staring at a nice, yellow, McAfee SiteAdvisor button in Firefox. Would you guys give McAfee a nice little time frame to patch stuff as well?

  11. arf_arf Says:

    I’m a strong believer in full-disclosure, but I respect your right to decide when and how to disclose what for yourself.

    But maybe you could let us know just one little thing:

    - Does NoScript block the browser-end of this attack?

  12. Jeremiah Grossman Says:

    You know, that must be one of the most reasonable and level headed statements I’ve ever heard utter surrounding the ever present FD debate. Very well said. NoScript would prevent most of the really bad clickjacking PoC, not 100%, which should be good enough to limit most risk.

  13. LonerVamp Says:

    I am not against your decision to responsibly disclose or pull your talk, not at all! :)

    But I did want to just pose one question. I don’t know how to ask it without being leading, so just know that I’m not trying to be leading!

    Three or five years ago, let’s say before either of you had your own company and were up-and-coming rather than already-arrived, would your decision to disclose have been different?

  14. RSnake Says:

    @LonerVamp - I didn’t know the parties involved at all back then, so it’s hard to say how I would have reacted. Especially since I honestly had no idea how to work with the vendors involved back then. However, had I known then what I know now, yes, absolutely I would do things exactly the same way. I was never really into the popularity contest aspect of the security industry, personally.

  15. Jeremiah Grossman Says:

    Unless you count some general browser attack techniques, I don’t recall ever zero-day’ing anyone. Speculating if this particular case happened years ago around the beginning of my career, honestly I might not have released it at all or perhaps simply FD’ed it if felt so inclined. This for a couple reasons. 1) We considered it a generic browser flaw, which they know about, and not so much an Adobe issue. 2) I did not have the personal relationships and credibility that I do now back then, which would have probably made responsible disclosure impossible (no way to get people to listen). 3) PSIRT I did not exist back then.

  16. LonerVamp Says:

    Thank you for both of your answers!

    And thanks, as usual, for all your collective hard work and expertise being put to excellent use! I and my users appreciate it every day! :)

  17. NeverMind Says:

    I think it’s very unresposible to hide the information. Any decent cracker or security expert will be able to find at least some of the exploits you do not want to talk about with the available information. So you’re giving the malevolent people the chance to do a lot of real damage, *even to the users that take security seriously*.

  18. Laurent Says:

    I think there is one argument that should be noted. Full disclosure is used when corporations do not want to acknowledge/correct a software flaw. In this case, every parties acknowledged the bug and showed leadership and willingness to correct the flaw.

    Thus, there was no need for full disclosure. Rsnake and Jeremiah both showed respect toward the community and they both have shown a high degree of professionalism.

    Full Disclosure is not the only way.

    Just my 2 cents.

  19. calios Says:

    Responsible disclosure - well now its getting interesting - surely it helps the vendors to get their fixes done - on the other hand it leaves room for the wildest speculation :-O

    What worries me is the “breaks some previously good security measures” thing - shall we understand this as what made our websites secure in the past is working against us now?

    I would - so far - still consider https and sop a strong combination - but since almost 30% of the surfers still go by IE6 or worse i would already say fixing the website will be faster than waiting for users to be patched :-(

  20. Giorgio Maone Says:

    @Jeremiah, RSnake:
    could you share privately some more details with me?
    Maybe NoScript could reach a perfect 100% ;)

  21. Jeremiah Grossman Says:

    Hi Giorgio, not right now, sorry. Soon though we hope.

    However, I believe those running NoScript and other security plug-ins like it really have a low probability of being impacted.

  22. Giorgio Maone Says:

    @Jeremiah:
    what “security plug-ins like it”?

  23. Jeremiah Grossman Says:

    haha, I should have been explicit. Like FlashBlock, Adblock Plus, CustomizeGoogle, etc. :)

  24. Giorgio Maone Says:

    @Jeremiah,
    those are useful against noise and annoyances, but hardly qualify as “security plugins”:
    FlashBlock — unreliable, see http://hackademix.net/2008/06/08/block-rick/
    AdBlock Plus — blacklist-based and reliability issues like FlashBlock
    CustomizeGoogle — ???

  25. Barak Obama Says:

    When I am elected president I will allow rsnake and crew to solve world hunger with xss, conduct solve banking issues with sqli. Seeing that the democratic party is also in nyc next week perhaps I will sweep you away into my black bullet proof car for a secret meeting to discuss this and other world problems in the cone of silence while smoking cigars like Bill Clinton heheh

  26. robert Says:

    @Obama

    First you need to beat Mcain (and apparantly Palin who most people are connecting with) so stop being a lazy ass and get it done. If you can’t beat the failed republican party, then how can you possible save us from XSS?

    :)

  27. Jairo Carneiro Says:

    someone already knows how to exploit the flaw? went looking and found some topics related to the subject.
    I know part of

  28. Shawna Says:

    Isn’t it just as simple as requiring an authorization for the loading of an iframes? Or am I missing something?

  29. Fab Says:

    Which leads me to ask a question, since it will be a year or two before any of the Vendors come up with a solution, how can we take precautionary measures with our websites so that at the very least our websites are protected (patched) in the meantime?

  30. Tod Says:

    RSnake — shame on you for not sharing at AHA!

    :)

    http://www.breakingpointsystems.com/community/blog/clickjacking

  31. Brett Glass Says:

    If the “noscript” plugin might help prevent some exploits, what about the script-defeating mechanism in WebWasher Classic (a free program available at several download sites on the Web)? WebWasher inserts itself as a transparent proxy between your browser and the Net, and so would potentially work for ALL browsers, not just FireFox. It might well be the only fix for IE for awhile.

  32. Matt Says:

    This isn’t that old trick of moving a position:absolute div with a link in it so when the user clicks, the click goes through to the other div?

    This was a popular one for faking banner clicks. Move the banner under mouse as the user’s about to click and you can inflate your numbers. :P

  33. hydroment Says:

    @shawna
    Blocking frames only constrains the clicks to the current domain (if I read correctly) It can still redirect to other links on the current page.

    In general, I’m not one much for kudos or pats on the back, but since everyone else is making an issue of it. I think you were correct in non-disclosure. Yes it may be known by a limited few mis-aligned individuals, but at least it is not thrown in mainstream before steps can be taken to the precautionary.

    just 2 cents. (I’ll bill you later ;-)

    hydroment

  34. Olivier Mengué Says:

    Hypothesis:
    The issue is probably that the browser is giving too much rights to the Flash plugin.
    May be it is possible to intercept browser events from a Flash object and change them (for example, change the mouse coordinates) before the reach the page event handler.

  35. Dwayne Says:

    Come on, guys. If it’s such a difficult problem that can’t be solved easily, then who is going to come up with a fix? The last thing we need is some half-baked solution that the rest of us have to live with for eternity because you guys wanted to pretend that there’s such a thing as “responsible disclosure” other than full disclosure. How many people know about this already? Can you be sure that none of them have leaked it? By keeping us out of the loop, you leave us more vulnerable than we would be otherwise.

    I really hope it’s nothing as simple as this:

    http://www.dlitz.net/temp/is-this-clickjacking.html

  36. lolrobert Says:

    @robert

    Yay! More of the same. American dollar crumbling, spying on americans, torture, wars on terror, Fema incompetence, cronism, nation building, economy falling apart, and deregulation of credit lenders. I’m so glad Clinton and is ilk is out of office.

    Yay for that!

  37. Carmagnole Says:

    Hello there
    Could someone knowing how this exploit work please make a small webpage, that a user could download on their local machine for instance, that could make a “cleaning clickhijack”, to allow people a way out of the mess a hostile website put them ?
    In this way of thinking, why not include in the patched websites a “cleaning clickhijack” that would remove the effects of a preceding attack on a visitor’s browser?

  38. Nem Says:

    As a webdeveloper/webjunkie I am curious and interested in the flaws you’ve found. I understand why you’ve pulled your speech for now - and I appreciate it.

    Are these the kind of flaws which are gonna cost us nerds every free hour we’ve got untill like 2012 to fix the PC’s of our parents, friends, families, etc.? :P

  39. Dennis Says:

    I was wondering if you maybe could supply us a list with browser that are susceptible to this bug? For example would Chrome be affected?

  40. digi7al64 Says:

    @Dwayne - Props of the uber made comments in your code highlighting your 1337ness. Sadly, I think rsnake and jeremiah are a little smarter then you so i doubt whether you really got that close (even with eating breakfast). ATM. I am placing my bet around a mixture of what i saw on ronalds site recently blended with some smart css.

    However, given the scariness of it all I am hoping its along the lines of being able to click confirmation boxes etc which would really be the only reason to hold back.

  41. w0lf Says:

    Good work!! This what what called responsible disclosure. End customers are no.#1 priority. Well you two still have to face more fire-talk backs especially from kiddies wanting to make some quick bucks. best Luck and waiting for the FD to be released soon after releasing the patches.

  42. w0lf Says:

    @Jeremiah, RSnake:
    Oops sorry for the repeat post. But soon after I clicked the submit button, I figured out if end users can help prevent themselves from being click-jacked by not browsing other sites while browsing critical sites like banking pages or mail accounts? Also they should avoid browser remember passwords for those critical sites. Well this is not a solution but a prevention technique (this is not be working because I am not sure of the details of the vuln. This is what I guessed from posts.)

  43. Jac Says:

    My first impression : “What You Clicked Is Not What Is Think You Have Clicked”.

  44. E-TARD Says:

    the info i have seen on the net about this
    i dont get how bad is it really
    from what i have seen ok they can use my webcam & mic
    but only for the time i’m on that page where the Att is coming from?
    other then that no one has been talking about it installing anythying
    so keep youre mic on mute & unplug youre webcam
    then this thing will not do jack
    but then agan they r not telling us much about this
    so then only thing i can do to find out more about it is to try & find a “Clickjacking” & pull it apart & see whats really going on & then come up with my own way of dealing it

  45. Sevenhundred Elves Says:

    Wouldn’t the Proxomitron, with it’s options to block iframes, stylesheets, javascript (or selected parts thereof), be useful as a countermeasure? I have always felt safe using that, along with blocking such things as DCOM and Universal Plug And Play and not using Internet Explorer or programs dependent on it. Am I still vulnerable to this “clickjacking” whereof you speak?

  46. jon rose Says:

    hi, reading your article i beleive i been doing fixes on my pc for last week after downloading flash to use with my Lotro game, 1st culprit seemed to be malwareWin32:Downloader-EF{trj}, then i got doubleclick.com.
    Took a while as its years since i used tab-mouselook ass it knocks out your mouse, and until u fix the problem u can’t re-instal mouse, as tried that 1st:-(, Now doubleclick is now part of google.
    Is this same, i still have 2 issues, my WinTV wont install the correct drivers when I try, still working on that off and on,other issue more serious is system restore has disappeared completly, and trying to re-install, i wiped the cache, yes ouch! But, I now can re-instal system restore, but, it will disappear again.As this moment,good news is i did open restore system useing %systemroot%\system32\restore\rstrui.exe but… as soon as i created restore point, and re-booted system restore is at moment disappeared again.
    I am running WinXP 64 bit, which probably saved my bacon so can still work machine, around these problems, as u basically are running win32 and win64, so only 1 part affected.
    I could re format and start again but i have so many documents, including a book i am writing, again=P, that this isnt an option.
    Now, as you havent disclosed the problem or browser , i am just guessing, so in that case just answer me, and keep this in private.

    Sincerely Jonathan rose

  47. jonathan rose Says:

    I have gone back to blocking all cookes 1st and 3rd, and adding only sites i can trust, due to this attack, if its the same as one that attacked my machine.

  48. RSnake Says:

    The paper has been re-posted here: http://www.sectheory.com/papers.htm for those of you who can’t/didn’t sign up for Hackers for Charity.

  49. NM Says:

    Security through obscurity is terrible practice.

  50. zadok Says:

    Security threats are here to stay, close one, another will spring up.
    The question we should all be asking is
    Who first notices a flaw? He can almost determine what happens next.
    Just imagine that RSnake and Jeremiah are two malicious guys, ….

    They say great minds think alike. Now even if they don’t disclose it, I’m sure sooner or later, someone somewhere will notice it.
    If malicious, think of the possibilities.
    If unknown to companies (just like R & J were some years back), the companies probably won’t take it serious till the exploits spreads.

    I think they are doing the right thing

  51. Sourabh Khurana Says:

    Hi,

    “noscript” is not the solution to stop clickjacking.
    The point is if all the javascripts are blocked then the user will not be able to use many applications like gmail. So, frame buster script is the best solution which i can think of.
    In normal circumstances no one will keep their browser with disabling javascript.