| Please note that this article originally published with a title and analysis indicating that "one-third of top 20 banking sites" were susceptible to clickjacking. After receving some feedback from a reader (see comment below) we re-checked our math and updated accordingly. We apologize for the error. |
Qualys researcher Dingjie Yang decided to look into the potential for clickjacking, which is a cyber-attack that tricks a web user into clicking a button, a link or a picture that he or she didn’t intend to click, typically by overlaying the web page with an iframe. He wrote short scripts to check whether web pages of the top 10 websites ranked by Alexa, top 20 bank websites and the Joomla, Wordpress, Phpbb, Drupal and Gallery open source web applications could be framed in his scripts. If his script could run and frame the web pages of the test targets successfully, it indicated that no countermeasures were deployed, and clickjacking was possible. The vulnerability turned out to be shockingly widespread.
“We’ve known about clickjacking, also called UI redress attacks, for years now, as they were originally described in 2008 by Robert Hansen and Jeremiah Grossman,” he said in his blog.
The threat is not minor: it can expose confidential information or even allow attackers to take control of the user’s computer. When a website is vulnerable to clickjacking, it is possible for the attacker to disable cross-site request forgery (CSRF) token protection, which guards against CSRF attacks that trick browsers into doing things without the user’s knowledge or permission.
“The clickjacking attacks on Facebook in 2010 showed that harm is done even by sending spam to everyone in your address book,” Yang explained.
In addition to a basic lack of awareness, Yang believes that the main reason why websites aren’t taking clickjacking seriously is because it’s hard to manipulate. “Some web developers consider clickjacking lower risk since it is harder to get sensitive information from an end-user, as compared with other attacks like XSS and SQL injection,” he said.
Also, he said that the only way that could completely prevent clickjacking attacks is to use a web browser like Lynx, which a pure text-based web browser that doesn’t support JavaScript. “Not only is Lynx outdated, but it's hard to imagine a modern web site user experience without the use of JavaScript,” he noted.
There are still some countermeasures that websites can implement to protect against clickjacking attacks, such as framebusters, the X-Frame Option and a few client-side plug-ins that can be installed in the browser. “Neither X-Frame Options nor framebusters have proven to be 100% effective, but they significantly reduce the risk of clickjacking,” he advised. “It is definitely worth implementing them into your websites if your websites are running without any protection against clickjacking attacks.”
A PayPal researcher also recently suggested a new way to thwart the threat. The mitigation technique, called “adaptive UI randomization,” combines randomized changes to UI elements with statistical analysis of first click success provided by screenshot comparison tools.