Clickjacking and Flash
I heard of clickjacking a couple of weeks back when the media blast started. At that time a had a very vague idea what it was and just recently I saw some POCs coming out to show how it works in practice.
Clickjacking, if I may categorize it, falls into the category of GUI attacks. I associate the clickjacking attack with the focus stealing attack which allows attackers to steal any file from the disk as long as they trick the victim to type enough characters. Ok, this is not a razor-sharp exploit but it is an exploit nevertheless.
In essence, the clickjacking technique allows attackers to trick the victim to click on areas of a disguised HTML elements such as an IFRAME preloaded with let’s say your Facebook account information. If nothing else, clickjacking is the killer of most anti-CSRF techniques.
I haven’t been thinking about clickjacking at all. I mean the attack is quite obvious and the potentials for damage are there. However, this morning when woke up, an interesting question started to circulate in my head. What is Adobe’s deal?
After all, Adobe are the ones who asked Jeremiah and rsnake to cancel their OWASP presentation. The answer came quite quickly and naturally.
The simple truth is that Adobe are worried about the clickjacking technique because Flash’s current and even future and a lot more enhanced security model relies on user interactions, i.e. clicks performed by the user. Therefore, today attackers can trick the user to allow the microphone to survey the sound in the room where the victim’s equipment is located. They can use clickjacking for that! But there is more.
If you have been following the development of the Flash platform, you are probably aware that Flash will soon become practically the most powerful web tool out there. Seriously, Adobe are revolutionizing the way we interact with the Web. Not only Flash will support a primitive P2P streaming protocol (I need to think of something malicious to do with that…), but they will also allow users to open and save files from and to their local disk. The only catch is that this feature is available via the FileReference class which contains methods that cannot be accessed directly. Instead, the developer needs to bind them to onclick events.
IMHO I do not think that this security model is bulletproof. The potentials for abuse are obvious, and since clicks are the driving force of future Flash’s security model, then clickjacking is what it comes to mind if you want to abuse them. Perhaps, in the future we might be able to connect to TCP sockets as long as the user clicks?
In conclusion, clickjacking is not a killer problem and it does not break the web, well not entirely. However the clickjacking problem is hard to solve. IMHO, I believe that it is even harder to solve then any overflow you may have to deal with. Why? Because we are dealing with user interaction and graphic design related problems. The solution has to be so clean that it doesn’t break half of the Web.



comments
It’s probably more like enabling the cam and mic access through flash. Ever seen that little popup when clicking on flash? That’s another thing you can do. besides clicking on buttons and stuff. mere guess of course, and some also e-mailed me about this as an attack vector.
But I’m not sure, we’ll have to wait for the stuff to roll right I guess. I’m a bit agitated by semi-disclosure right now, the media twist things out of perspective lately without doing research an taking stuff on face value. Even when I speak about something, I always ask them nicely to NOT address me as security researcher since I have no authority to claim such, other than being a semi-bored blogger that likes to go an the bend once in a while, but they don’t seem to care, it sells more ads for them :)
Not sure what is happening lately, all strange things happening all over the place, old TCP attacks, weird click attacks, old purged DNS attacks dis-covered, BGP attacks, haha! no disrespect but it’s just a crazy observation where you are pretty much spot on when you said that it’s not about being the baddest hacker.
I would love to tell bad-ass stories, but I know I can’t because people know my name. Crazy I know, funny: hell yeah.
This is the vector I came up with right away after understanding the whole Clickjacking idea, and I resisted the urge to 0day Adobe on stage in NYC - it was tough, especially with the whole crowd salivating for vectors.
There are worse vectors though, even within Flash. This is a real creative challenge to those willing to spend the time researching.
The future is scary- just check out HTML5, google, and check out some of the streaming options our browsers are looking into implementing.
Ronald, you are right and I think that’s what we both meant (about using Clickjacking to trick the user into clicking ‘Allow’ in the Flash security dialog).
indeed, the future looks very gloomy :)
rvdh, being the baddest hacker is not enough. I know that you are the lone wolf but enter my world of massive collaboration. this is the future! well, at least according to me.
@arshan
it is a quite strange observation by many in the hacker & security field, when people think that it must be about complexity and intellectuality. This is opposite in finding truth or even science, where the smallest theory is the most elegant generally. Whoever finds the smallest theory is usually the winner, not in hacking and security. it has to be complex that no-one understands it anymore, and you do. It’s only showing inner uncertainty, instead of the confidece to talk about XSS all and and seeing it as a risk. The moment you do that you are labeled a scriptkid. Well, I always said: be affraid of the scriptkid, he will own you one day when you are far too busy with your intellectual rolegames.
This is no critique, it’s my personal observation and conclusion about the fact that no one other than uncertainty will make you proof to the world you are not uncertain, which again proves de facto uncertainly.
@petko
Yeah, I think the whole notion of being the baddest and one with the most bling is ridiculous. This doesn’t mean I like a healthy competion of course. But there is a thin line to walk in my opinion. A lot of bugs are being found by those in search for recognition, so in one way it’s good that not many people realize it. Secondly I don’t think that doing some partion magic on the TCP/IP stack is any more dangerous than clickjacking, I don’t really subscribe to classifications of vulnerabilities anymore, their is either a threath or there is a good sense of security.
It seems that something’s being done to address clickjacking - NoScript’s new version (1.8.2.1) sports some form of protection in this regard:
http://hackademix.net/2008/10/.....ckjacking/
I’m not sure whether this will help against Flash clickjacking, but it certainly detected overlaid elements on a web-page and displayed a warning.
what can I say, I appreciate Georgio’s work a lot but the simple fact is that NoScript can be really annoying sometimes (most of the time). Putting warnings everywhere is not the solution. I don’t know what is the solution. I am glad though, that we have some solution thanks to NoScript. Clickjacking is also possible on the desktop as well. Clickjacking is certainly not a Web-related only problem. However, I do not see Desktop GUI developers implementing warnings everywhere.