The so-called framebusting mechanism implemented in browsers to help websites prevent clickjacking attacks doesn’t live up to expectations, according to Google security engineer and Web security researcher Michal Zalewski, who released proof-of-concept code to demonstrate it.
“JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as window positioning, history.forward() and history.back() open some scary possibilities that we are completely unprepared to deal with,” Zalewski said on his website.
“I wanted to showcase another crude proof-of-concept illustrating why our response to clickjacking — and the treatment of it as a very narrow challenge specific to mouse clicks and iframe tags — is somewhat short-sighted,” he added.
The biggest problem with detecting and blocking clickjacking is that it uses legitimate Web programming techniques to achieve the malicious goal. The most common implementations use CSS code to make content loaded in an iframe invisible and superimpose it on a legitimate-looking element.
Facebook Targeted
The technique has regularly been used in Facebook attacks to trick users into liking spam pages by making the Like button invisible and placing it on top of a button that appeared to do something else.
In order to prevent such attacks, webmasters have long used JavaScript code to block their websites from being loaded in iframes. This type of protection is known as framebusting.
Over time, browser vendors implemented a special HTTP header called X-Frame-Options that can used by websites to tell browsers not to load certain pages into external iframes. However, Michal Zalewski believes that this protection is insufficient and has developed a proof-of-concept clickjacking attack to prove it.
According to the security researcher, there are other solutions for protecting against a wider scope of clickjacking attacks, but they aren’t popular with browser vendors at the moment because they are more complicated.
The popular NoScript security extension for Firefox is considered good at detecting and blocking clickjacking attacks, but it also has a high false-positive rate. This is not a big issue at the moment, because the add-on is aimed at power users who have enough knowledge to make decisions on their own.
However, implementing something like this directly into a browser that’s used by millions of non-technical individuals is not something vendors are likely to do.