Wednesday, February 25, 2009

Latest ClickJacking Twitter Exploit vs. Browsers (IE, FireFox, NoScript)

Cool! Dan Goodin over at The Register picked this up too...

1:38pm - Update
- Interestingly enough, I finally took a peek as to why this wasn't working; the original writer of the 'sploit didn't have the mouse cursor positioned properly within the iFrame to click the UPDATE botton. {x- 40} and {y - 120} works perfectly :)


ClickJacking has once again come to Twitter! <-- Proof-of-Concept link

You've heard IT security folks talk about it, you've wondered what it really means, and maybe you've even seen the WebCam example of ClickJacking; but you're not really sure what the big deal is, right?

ClickJacking is a pretty nasty attack, and what's worse, your browser may not really help you much against the UI redress attack (as it was originally called). The problem here is that ClickJacking isn't a vulnerability or defect in a browser, rather, it's an attack against an HTML standard... whoops!

Today Twitter was abuzz with the latest (the 2nd one by my count) ClickJacking exploit in as many weeks, and it was interesting to see. I wanted to point out some interesting things in this exploit, and show some of the things that make these types of attacks dangerous. As a side effect, I took some screen shots of this exploit (and one RSnake mocked up for me) in different browsers just to see how things looked.

The original page had very little opacity set up, meaning, the iFrame they're using doesn't disappear so it's not really an exploit per se. But RSnake's mock-up ratchets up the opacity on the iFrame so as to make it appear a little more dangerous... keep reading.

First, the URL referenced above looks like this in Windows Vista/Service Pack 1/IE 7.0.6001.18000:

... you'll notice that it is essentially all white (strange how IE renders these), but some weird pop-up comes up asking you to save a file? Internet Explorer 7 obviously has some quirks here...

Next you can see what FireFox looks like on that same URL... naked (Vista/Service Pack 1 FireFox 3.0.6 with NoScript (latest)):

See the difference? In IE all you saw was a white box around your cursor (that was the iFrame moving with your mouse) but in FireFox you'll notice that you see the actual iFrame displayed (still following your cursor dilligently).

The reason the iFrame follows your cursor is this piece of code:
[script type="text/javascript"]
function mouseFollower(e){
x = (!document.all)? e.pageX : event.x+document.body.scrollLeft;
y = (!document.all)? e.pageY : event.y+document.body.scrollTop;
var iframe = document.getElementById('iframe'); = (x - 30) + 'px'; = (y - 108) + 'px';
document.onmousemove = mouseFollower;
Also, you'll notice if you look at the page, that the opacity isn't really set very high:
iframe { position: absolute; width: 60px; height: 118px; z-index: 2; opacity: 0.5; filter: alpha(opacity=0.5); }
And of course, the page being framed in here is the login page as so:
[iframe id="iframe" src="" scrolling="no"][/iframe]
Now... let's look at RSnake's mock-up with opacity turned up... a lot.

Here is what Internet Explorer sees when the opacity is turned up:

Now the same same page viewed in Firefox, with NoScript turned on... and you'll notice that you can barely see the iFrame this time (as opacity has been turned up) but when you click... ta-da....

So fundamentally... IE is broken somehow, some way - and it not only goes and dumps a white box instead of the actual iFrame (unsure why... need more looking) but the pop-up is perhaps due to something entirely unrelated to the clickjack attempt.

So... as a final though - use FireFox + NoScript... save yourself from strange things that go bump on the 'net.


Anonymous said...

The iframe was intensionaly left visible as I just wanted to demonstrate the exploit rather than actually trick unsuspecting users.

Thanks for the write up.

Anonymous said...

Also I suspect the white box rather than the iframe is down to the CSS I used.

Rafal Los said...

@Tom Graham - Brilliant showing, btw... Can you shoot me an email with your contact info? I'd like to talk more in-depth about this issue.