RSS Alerts

Share

More services

Related Stories

  • Clickjacking threatens two-thirds of top 20 banking sites
    Almost a two-thirds of the top banking sites, one-fifth of popular open-source web app sites and a full 70% of the top 10 websites by number of visitors have absolutely no countermeasures against clickjacking attacks, even if they require a secure environment, such as banks providing online banking services.
  • PayPal researcher proposes technique to thwart clickjacking attacks
    Researcher Brad Hill with PayPal argues that a combination of a randomized user interface (UI) and a backend screenshot comparison tool could put an end to clickjacking attacks.
  • Free tickets to see latest Twilight movie? It's a clickjacking scam
    With Channel 4 screening the first Twilight movie this week, interest in the latest part of the Vampire movie series – the Twilight Saga: Breaking Dawn – has started to ramp up ahead of its November cinema release. But cybercriminals are now luring internet users with a Facebook scam, supposedly offering users free tickets to an advanced screening.
  • Updated Android attempts to prevent clickjacking
    Just in time for the holiday season, Google has unveiled Gingerbread, the latest release of the company’s Android operating system for mobile devices.
  • Sophos warns on serious Facebook clickjacking worm
    Whilst Facebook seems to have more security holes than Swiss cheese, mainly down to the extensible code that the social networking service uses, Sophos has issued an alert about an especially nasty clickjacking worm.

Top 5 Stories

News

New Google Chrome clickjacking vulnerability rears its head

03 January 2013

Beware when looking for help with that new Chromebook: Google Chrome users visiting Google support pages could be vulnerable to a clickjacking technique that could lay bare their e-mail addresses, profile pictures, first and last names, and other information.

A UI redress vulnerability in Google’s Chrome web browser offers a simple data extraction opportunity to a would-be hacker, according to researcher Luca De Fulgentis at Nibble Security, who said that attackers could simply trick users into publishing their private information.

“The Google Chrome web browser seems to have defeated any extraction methods, denying the use of the view-source handler and disallowing cross-origin drag & drop,” the researcher noted. “Despite these adverse conditions, I identified some attack scenarios where a UI redressing issue could be still performed in order to extract sensitive data.”

In some instances, users are fooled into using a two-step drag-and-drop method to publish data publicly. To wit: Instead of a cross-origin drag-and-drop, the victim is tricked to perform a same-origin action, where the dragged content belongs to a vulnerable web page of the targeted application “and the dropper is a form (text area, input text field, etc.) located on the same domain,” he added.

De Fulgentis said the attacker then exploits a subsequent clickjacking vulnerability on the same domain, which causes the publication of the personal information.

"I refer to this kind of attack chain as a bridge that allows the attacker to move sensitive data from being private to public, while remaining on the same domain," he said. "Then, the attacker can simply access the (now) public information to obtain the extracted data.”

De Fulgentis observed that the technique requires two vulnerabilities: the site's functionality must be able to be affected by clickjacking in the first place, but it also must have web resources that are not protected by X-Frame-Options (or are using a weak frame-busting code).

“An authenticated Google user can be attacked by abusing a UI redressing vulnerability related to the support.google.com domain," De Fulgentis said in his blog post. "No X-Frame-Options header is adopted, thus allowing the cross-domain extraction of personal data."

Similar vulnerabilities have been found on other popular web applications, including Microsoft and Yahoo! Profile pages, he added. 

“I found that several world-renowned web applications lack protection of web resources from UI redressing attacks, thus revealing data that can be abused to disclose a user's identity,” said De Fulgentis. “An identification attack could be successfully performed by exploiting a UI redressing flaw affecting web resources that include, for example, the name or the e-mail address of the victim.”

This article is featured in:
Application Security  •  Identity and Access Management  •  Industry News  •  Internet and Network Security  •  IT Forensics

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions | Privacy | Website Design| Reed Exhibitions. All rights reserved. Copyright © 2013
We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×