Cenzic 232 Patent
Paid Advertising
web application security lab

Clickjacking and GuardedID

I’m so behind in blog posts, it’s unreal! Feel my pain. Feel it, I tell you!

I’ve received several emails about GuardedID’s clickjacking protection, so I thought I should do a quick post about it. From Michael Brenner:

GuardedID does not interfere with operation of legitimate iFrames, frames, AJAX, or scripted applications. GuardedID does not block operations. It makes potential clickjacks visible to the end user. PLUS, as you mentioned, GuardedID runs on IE8, IE7, and IE6, as well as Firefox 3, 2, and 1.

Clickjack warning is an added benefit, rather than the primary function of our GuardedID product (at least until there is a major loss due to a creative clickjack.)

GuardedID’s primary function is to obfuscate keystrokes so any keyloggers that manage to install on a workstation do not get ID’s and passwords entered into a web browser. (GuardedID, on a percentage basis, is many times more effective at what it does than most anti-virus programs are at blocking viruses.)

GuardedID needs to process the DOM in order to properly identify text input fields. When focus is on a text input and GuardedID is active, GuardedID rewrites the bg color of the field so the user knows that the keystrokes are being encrypted (our marketing term for this indication is “CryptoColor”).

When your clickjack paper hit the headlines last September, our phone rang constantly from users asking if we could help avoid clickjacks, especially in Internet Explorer. Since we already process the entire DOM, we added the two clickjack warning features to GuardedID in response to their requests.

The “Opacity” warning forces frames with “off domain” sources to ALWAYS be visible. The “Placement” warning (called “Show Red Border” in GuardedID) forces the dashed red line around off-domain frames. (Show Red Border is really fun to use on sites like amazon.com who give up space to outside advertisers. The off-site ads are all framed.)

So for those IE users who want to take matters into their own hands rather than waiting for IE8.0 to come out and for every site to adopt X-FRAME-OPTIONS, you have a solution at your disposal to thwart would be clickjackers. I have not tested this tool yet, and it isn’t free, like the NoScript alternative for Firefox, so if someone wants to post user comments here, they would be welcome.

6 Responses to “Clickjacking and GuardedID”

  1. Tom T. Says:

    From the white paper:

    1) The white paper doesn’t say what encryption algorithm is used. CRC? DES? MD5, now known to be broken (or at least breaking)? Pig Latin? How is the key generated? 256 bits or 40 bits? Where is it stored? Is it ever changed? How and when? Any product white paper that speaks of encryption without answering these questions is probably snake oil.

    2) If there is already a keylogger on my machine when I install GuardedID, couldn’t it learn the encryption keys and method as the product is being installed?

    2) It still has to be decrypted (per their diagram) at some point in the browser before being sent to the Internet. I’m too stupid to know the answer to this, but couldn’t a keylogger reside or look in the browser as it sends stuff to the Net?

    3) What happens to my keystrokes as I work in Open Office or MS Word or … etc.? The diagram only points to the browser; doesn’t mention any other applications. Do I end up with a Word doc that I can’t read?

    From their web site:

    4) “GuardedID bypasses the typical places keyloggers normally reside,” So couldn’t evildoers make them reside somewhere else?

    5) “Secunia has tested the ability of various high-profile Internet Security Suites to detect exploitation of vulnerabilities. Their report proves that Anti-Virus software is not enough to stop keyloggers.” OK, but has Secunia or any third party shown that GuardedID *does* stop kl?

    6) “GuardedID is designed as a toolbar for your browser,” Yes, browser toolbars are the safest way to install anything (cough). Most spyware is toolbars and most toolbars are spyware. For that matter, how do I know that GuardedID isn’t sending its encrypted stuff to their site, where they can decrypt it and…

    7) “rerouting those encrypted keystrokes directly to your Internet Explorer browser”.. Nothing there about compatibility for Fx, Chrome, Safari, etc.

    Not convinced, but willing to listen to answers from the high-tech crowd.

  2. Frederik Says:

    no offense, but sounds snake-oilish to me.

  3. afd3dea Says:

    Regarding the keylogging aspect: All in all just sounds to me like another hurdle for malware to easily overcome - drawing its strength from the fact that no malware-writer today is going to bother to jump that hurdle to infect the extra fraction of clients who have this installed.

    If everyone hides their key under the doormat by default, malware isn’t going to bother to check beneath every rock around the corner just because 1 in a billion store store their keys there instead. If everyone hid their key beneath the rock…

  4. John sreeder Says:

    interesting product. protects the user. dont wait to the website owners to protect you against those attacks. we installed dotdefender to protect our website from attacks. but how can u increase the awareness and the importance that more and more website’s owner will install website protection and will block the attack from reaching to the users? i think this is the question need to be asked.

  5. abc Says:

    what a stupid programm…
    what if i just log all keystrokes, when a browser has been started and has the focus?

    If you need something like this use Firefox and no-script!

  6. RSnake Says:

    @abc - clickjacking is not at all the same thing as phishing. Please read http://www.sectheory.com/clickjacking.htm for more info.