Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:

Published byDarrin Scovil Modified over 10 years ago

Similar presentations

Presentation on theme: "Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:"— Presentation transcript:

1 Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking: Attacks & Defences SIL765 paper presentation by: Rahul Goyal: 2008CS50222 Ravee Malla: 2008CS50224 Course Instructor: Prof. Huzur Saran CSE, IIT Delhi

2 Likejacking The user can be tricked into clicking button, on an attacker’s website User visits attacker.com Like button hidden behind another button

3 Clickjacking: Definition Prerequisite: Multiple mutually distrusting applications sharing the same display, and having permission to manipulate each other’s visual appearance Attacker comprimises context integrity of another app’s UI components Temporal Integrity Visual Integrity

4 Types of Context Integrity Visual IntegrityTemporal Integrity What the user sees, is actually what is present No transparent, overlayed objects Eg should be visible should be visible State of the UI between time of user checking and the time of initiating the click, remains the same

5 Compromising Visual Integrity Hide the target Partial Overlays

6 Compromising Visual Integrity Multiple cursor feedback known as cursorjacking Fake Cursor Real Cursor

7 Compromising Temporal Integrity Bait and switch: As mouse comes near “Claim you..” button, Like moves to take it’s location before the user realizes it

8 Existing Defences User confirmation Degrades user experience UI randomization Unreliable & not user-friendly. (Multi-click attacks) Framebusting (X-Frame-Options) Incompatible with embedding 3 rd -party widgets Opaque overlay policy Breaks legitimate sites Visibility detection on click Allow clicks only on elements that are visible

9 Protecting temporal integrity Imposing a delay after displaying a UI Annoying to users

10 New Attacks Demonstrated Authors conducted new exploits using Clickjacking & with and without their own patches using Amazon Mechanical Turks Reported the effectiveness of the attack Attacks: Accessing user’s webcam: Attack success: 43% Stealing user’s email: Attack success: 47% Revealing user’s identity: Attack success: 98%

11 Accessing user’s webcam Fake Cursor Real Cursor

12 Stealing user’s email

13 InContext Defence Design Goals: Should support 3 rd party object embedding Should not have to prompt users for actions Should not break existing sites Should be resilient to new attacks

14 Basic Idea Techniques to ensure user is always InContext of the sensitive UI in interaction Websites can indicate their sensitive UI Browsers can enforce context integrity rules on these sensitive UIs

15 Ensuring visual integrity of target OS can compare the screenshot of sensitive UI with the reference bitmap provided 30ms overhead on click processing

16 Ensuring visual integrity of pointer Remove cursor customization Freeze screen

17 Ensuring visual integrity of pointer Lightbox effect around target on pointer entry

18 Ensuring temporal integrity UI Delay On a visual change, all buttons are inactive for a certain time Pointer Re-entry: On a visual change, invalidate clicks till pointer re-enters the UI

19 Conclusions & Extensions Demonstrate clickjacking variants and dangers Show effective defences (success 43-98%) Our Extensions: Replicate the studies and test the effectiveness of defences Explore other methods/cases where Clickjacking can be used as an exploit

20 Questions & Comments. Thanks

Download ppt "Lin-Shung Huang, Alex Moshchuk, Helen Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon, Microsoft Research USENIX Security 2012 Clickjacking:"

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Presentation Prepared For:. Secure user Login provides access to specific ship-to addresses, customer catalog, order processing rules, and other account-based.

Presentation Prepared For:. Secure user Login provides access to specific ship-to addresses, customer catalog, order processing rules, and other account-based.
Using PeopleSoft’s User Productivity Kit (UPK)

Using PeopleSoft’s User Productivity Kit (UPK)
PC Encryption installation progress/password screen Includes comments from: Encryption team Sarah Deane Tony Stieber Selected people who took part in the.

PC Encryption installation progress/password screen Includes comments from: Encryption team Sarah Deane Tony Stieber Selected people who took part in the.
Putting the Portal to Work Stuart Forman and Vicky Brett TBN Members Day Presentation 15 th Nov 2008.

Putting the Portal to Work Stuart Forman and Vicky Brett TBN Members Day Presentation 15 th Nov 2008.
Student Getting Started Guide *Updated December 2011 to include information on Integrated Digital Book/MindTap Reader.

Student Getting Started Guide *Updated December 2011 to include information on Integrated Digital Book/MindTap Reader.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
User-Driven Access Control Rethinking Permission Granting in Modern OSes Franziska Roesner, Tadayoshi Kohno University of Washington Alexander Moshchuk,

User-Driven Access Control Rethinking Permission Granting in Modern OSes Franziska Roesner, Tadayoshi Kohno University of Washington Alexander Moshchuk,
Using Track Changes in Microsoft Word 2003. Navigating Directions Click on the arrows or the home button located in the bottom right-hand corner of each.

Using Track Changes in Microsoft Word Navigating Directions Click on the arrows or the home button located in the bottom right-hand corner of each.
Phishing Scams use spoofed emails and websites as lures to prompt people to voluntarily hand over sensitive information Phishing emails may contain.

Phishing Scams use spoofed s and websites as lures to prompt people to voluntarily hand over sensitive information Phishing s may contain.
Clickjacking Attacks and Defenses.

Clickjacking Attacks and Defenses.
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
MyITLab First Day of Class Registration Walkthrough.

MyITLab First Day of Class Registration Walkthrough.
Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.

Clickjacking: Attacks and Defenses Lin-Shung Huang, Alexander Moshchuk, Helen J. Wang, Stuart Schechter, and Collin Jackson Carnegie Mellon University.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Midterm Several high 90s Average: 91% = A-. Project – Evaluation Plan See doc Exercise: plan for your evaluation now in- class!

Midterm Several high 90s Average: 91% = A-. Project – Evaluation Plan See doc Exercise: plan for your evaluation now in- class!
Project 8 Interim Presentation Feedback System for UCI Library Help Section Dastyni Loksa Dawei Wang Linus Siska Devin Pigera Client : Christopher Davis.

Project 8 Interim Presentation Feedback System for UCI Library Help Section Dastyni Loksa Dawei Wang Linus Siska Devin Pigera Client : Christopher Davis.
Interaction Styles Interface Widgets. What are Interaction Styles?  A Collection of interface objects and associated techniques from which an interaction.

Interaction Styles Interface Widgets. What are Interaction Styles?  A Collection of interface objects and associated techniques from which an interaction.

Similar presentations

Ads by Google