Click-jacking 2.0

Click-jacking involves a crafted web site inserting a transparent iFrame underneath the cursor. Believing themselves to be clicking on the displayed web page, users in fact find themselves clicking on control elements (e.g. buttons) on a transparent iFrame from another website.

Security expert Paul Stone demonstrated a new generation of click-jacking attacks at the recent Black Hat Europe event in Barcelona. Stone’s demos are not limited to clicks – he can also enter text into forms or read documents opened in the victim’s browser or the page source. Stone makes use of the drag and drop API provided by modern browsers such as Internet Explorer, Firefox, Chrome and Safari. Rather than getting victims to click on specific locations, Stone gets users to drag objects or text from visible windows into an invisible iFrame.

This could, for example, become relevant where a user is logged into a social networking site and opens another page from the site in an invisible frame, into which the user then unknowingly places content. According to Stone, the browser’s same origin policy would not spring into action in this scenario, as elements would be being moved from one site to the next with the user’s involvement. Using this method, Stone can circumvent restrictions such as those aimed at preventing cross-site request forgeries.

Java and JavaScript can increase the potency of these attacks further by only requiring a click rather than a drag. Most high-traffic sites ( read social ) have protected themselves against click-jacking however the mobile versions of these sites may still be vulnerable.