Wednesday 27 June 2012

Hijacking Facebook Users With Clickjacking Attack


Clickjacking is one of most used attack on Facebook. Scammers use this attack to increase like of a Facebook page and spread some malicious links on Facebook user’s profile. Most of the strange looking auto spreading scams on Facebook are Clickjacking attacks.


Clickjacking name is taken from click Hijacking. In this attack, hacker hijacks users’ click to perform some actions on the webpage. This attack is also known as User Interface redress attack, UI redress attack or UI redressing. In this attack, hacker tricks innocent users to click on something which is not the same thing user is clicking. It means user tries to click on some link button for some specific task while the button or link performs something else.

How this attack works?

As the name suggest, hacker hijacks the click of the user. But this sounds complicated. In this attack, hacker use modified frames in the way that only a specific part of the webpage is visible on the page.
For example, imagine a hacker created a web site that has a button on it which says "click here for get free gifts". But, on the top of web page, hacker has embedded an iframe with a button for subscription directly on top of the "free Gifts" button. Victim visitor will try to click on free gifts button but instead actually clicked on the invisible Subscription button.

This attack is performed with the help of 2 iFrame. First of all we will add the target button to the top left of the webpage in an iframe. First IFrame is used to hide all other elements of the webpage which originally contains the button. Hacker hide border and scroll. This will make hard to identify the frame on the web page.

<iframe id="inner" src="http://hackingtricks.in" frameborder="none" scrolling="no" width="1000" height="3000"></iframe>
#inner { position: absolute; left: -600px; top: -600px ;}

Change the position and iframe size according to the button you are adding.
Now add this web page on target web page inside an IFrame at the position where we want to add the button. Second IFrame is used to add this button on the target web page where we want it to be clickjacked. Do not use border and scroll in this frame too. Now add some texts and images around this framed button so that it appears the part of the page. Also put some false message to get users click on the button.

LikeJacking:  Likejacking is not the different attack. It is the Clickjacking attack which is used to increase the like of a Facebook page or a Facebook post. Facebook got the solution to prevent this attack in the Facebook’s hacking event Hackathon. Although, Facebook has implemented many security levels to prevent this attack, but hackers always gets some way to perform this on facebook.

Protection against this attack: This is a harmful attack and can be prevented by server side and client side both.

Server Side Protection: Most successful server side protection against this attack is "Defending with Frame Breaking Scripts." In this web developer add a script on the web page which prevents the web page to be framed. This is the code which is used to prevent the page to be framed.
<script type="text/javascript">// <![CDATA[
 if (self == top) {
   var theBody = document.getElementsByTagName('body')[0];
   theBody.style.display = "block";
 } else {
   top.location = self.location;
 }
// ]]></script>
But there are few methods which can break the protection.

Client Side Protections: There are some add-ons and tools available which are used to protect browsers against this attack.

NoScript: No doubt, NoScript is the most useful Firefox add-on which protects users from many types of web attacks. This add-on also prevents users from clicking on invisible or “redressed” page elements of embedded documents or applets. This is the best security tool against this attack.

Ghostery: This is also a nice browser extension which is also used to protect users against this attack. This privacy browser enables users to detect and control tags, web bugs, pixels, and beacons on the webpage which can collect data from their web browsers.

As we know that there is no permanent solution exists to prevent this attack from the server side, we should try to add protections to our web browsing. So I will suggest all users to use client side solutions. If you use Mozilla Firefox, then you must have NoScript Add-on in your web browser. This will protect you against many types of web attacks.

No comments:

Post a Comment

LinkWithin

Related Posts Plugin for WordPress, Blogger...