Thursday, October 9, 2008

Clickjacking Defenses

[Update: 10/15/08 - Adobe Flash Player 10 is now available for download, which addresses the webcam/microphone hijacking scenario described below.]

Since I last blogged about clickjacking two days ago and posted a demo, plenty of additional information has emerged, including the original researchers, Jeremiah Grossman and Robert Hansen breaking their silence in light of attack details now being public. Robert provides a detailed list of the status of all known clickjacking related issues, noting whether they have been resolved or if resolution is expected in the near future.

Given that the majority of necessary vendor patches to address clickjacking are not yet available, I'd like to take this opportunity to discuss some practical interim workarounds to defend against clickjacking. Keep in mind that while clickjacking affects a web user, as with most client side vulnerabilities, preventing the attack is a shared responsibility among web site administrators, software vendors and end users. We don't have any control over software vendors, so I'll instead focus on what website administrators (server side) and end users (client side) can do to protect themselves.

Server Side Protections
  • Frame busting - All of the clickjacking demonstrations that I've seen to date require that the targeted site, which the attacker wants a victim to click on, be contained in an IFRAME on a page which the attacker controls. According to Robert, the need for IFRAMEs can be bypassed using ActiveX controls if they don’t use traditional modal dialogs, but rather rely on on-page prompting. However, inserting 'fame busting' code on sensitive pages is at least one solid protection that site administrators can do to prevent their clients from falling victim to clickjacking attacks when the attacker is using IFRAMEs. The following code will ensure that a page is not displayed within an IFRAME:
<script type="text/javascript">
if(top.location != location) {
top.location.href = document.location.href;
  • Randomize URLs - Clickjacking requires that the URL of the site to be clickjacked is known. Therefore, URLs for pages with sensitive actions (e.g. password reset) could be dynamically generated. This would of course prevent static links from other applications.
  • Randomize Layout - Cickjacking also requires knowing the location of the object to be clicked on so that the overlay page is properly positioned. Therefore, randomly changing the position of a sensitive page element such as a submit button would increase the level of difficulty for a successful clickjacking attack. This however could be challenging for many sites as page layout can't be adjusted without changing the overall look and feel of the page.

Client Side Protections

One of the most concerning attacks related to clickjacking involves changing a user's Adobe Flash Player settings to allow the attacker's site to enable and access a victim's webcam and microphone. This allows clickjacking to be used for surveillance as seen in a demonstration video posted at The Adobe Flash Player mitigations in the list below are therefore designed to address this specific attack but keep in mind that Adobe is only one affected vendor.
  • Pull the plug - The only sure fire way to prevent your webcam and microphone from being hijacked is to disable them. This of course has the obvious implications of killing hardware that will be useful elsewhere but you may want to consider it. Depending upon your system this may require changing O/S settings, BIOS settings or simply pulling the plug.
  • Adobe Flash Player Settings Manager -Flash Player settings can be adjusted manually. In fact, the aforementioned attack is doing exactly this by tricking the user into changing their settings via clickjacking. In order to access the appropriate settings you can right-click on any embedded Flash video and select 'Settings --> Advanced' or just use the links below.
    • Global Privacy Settings - Global settings address all sites using Flash, regardless of whether they are newly encountered or already have site specific rules applied from past visits. Select 'Always Deny' to ensure that sites can never access your webcam or microphone. Keep in mind however that this setting can be clickjacked so it's far from a foolproof defense
    • Website Privacy Settings - This panel will allow you to set rules for specific sites if you'd prefer to not block access for all sites.
  • mms.cfg - According to the Adobe advisory, in addition to the method above, webcam and microphone access from within Adobe Flash player can also be diasabled by changing the confirguration file directly. This is a better approach as this change cannot be reset through clickjacking. Directions for doing this are provided on page 57 of the Adobe Flash Player Administration Guide, but based on my research, the mms.cfg file is only used by Adobe Flash Player 8, and not in 9.
  • NoScript - NoScript is a handy FireFox plugin which permits granular control to restrict client side scripting on websites and even has some decent XSS protections as well. They've extended this functionality to defend against clickjacking by doing the following three things.
    • ClearClick - ClearClick will prevent UI interaction with embedded objects if they're obstructed or not clearly visible.
    • Opacize Embedded Objects - This setting will make visible, those page elements hidden using CSS with the opacity value of elements set to '0'. This is in my opinion the best defense to date as it won't break the functionality of any sites, but it will empower the user to see any clickjacking attempts.
    • Frame Breaker - Additionally, NoScript has frame breaker emulation for frames where JavaScript is disabled.
While the NoScript functionality is a positive step forward in lieu of no vendor patches, I'll forewarn you that I've encountered some false positives in my testing thus far. My recommendation is that you enable ClearClick only for Trusted Sites, but use the Opacize Embedded Objects setting for both Tusted and Untrusted sites to maximize coverage while minimizing false positives. To summarize, there is no silver bullet to protect against clickjacking, but there are at least a handful of steps that can be taken to mitigate the risk.

As with most problems in life, if the aforementioned still leaves you with worries, a little duct can solve your problems - this time by being placed over your webcam.

- michael

No comments: