On the Fra­gi­li­ty and Li­mi­ta­ti­ons of Cur­rent Brow­ser-pro­vi­ded Cli­ck­ja­cking Pro­tec­tion Sche­mes

Se­bas­ti­an Le­kies, Mario Hei­de­rich, Den­nis Ap­pelt, Thors­ten Holz, Mar­tin Johns

6th USE­NIX Work­shop on Of­fen­si­ve Tech­no­lo­gies (WOOT), Bel­le­vue, WA, Au­gust 2012

Ab­stract

An im­portant and ti­me­ly at­tack tech­ni­que on the Web is Cli­ck­ja­cking (also cal­led UI re­dres­sing), in which an at­ta­cker tricks the un­sus­pi­cious victim into cli­cking on a spe­ci­fic ele­ment wi­thout his ex­pli­cit know­ledge about where he is ac­tual­ly cli­cking. In order to pro­tect their web­sites from being ex­ploi­ta­ble, many web mas­ters de­ploy­ed dif­fe­rent coun­ter­me­a­su­res to this kind of at­tack.

In this paper, we ex­plo­re the li­mi­ta­ti­ons and short­co­mings of cur­rent an­ti-cli­ck­ja­cking ap­proa­ches and pre­sent se­ver­al by­pas­ses of sta­te-of-the-art tools, in­clu­ding an at­tack we call Nested Cli­ck­ja­cking that enables us to per­form Cli­ck­ja­cking against the so­ci­al net­work Goog­le+. Fur­ther­mo­re, we pre­sent the re­sults of a large scale em­pi­ri­cal study on the usage of cur­rent an­ti-cli­ck­ja­cking me­cha­nis­ms on about 2 mil­li­on web pages. The re­sults of our ana­ly­sis show that about 15% of the ana­ly­zed web sites pro­tect them­sel­ves against Cli­ck­ja­cking.

Tags: se­cu­ri­ty, web