The so-called framebusting mechanism implemented in browsers to help websites prevent clickjacking attacks doesn’t live up to expectations, according to Google security engineer and Web security researcher Michal Zalewski, who released proof-of-concept code to demonstrate it.
“I wanted to showcase another crude proof-of-concept illustrating why our response to clickjacking — and the treatment of it as a very narrow challenge specific to mouse clicks and iframe tags — is somewhat short-sighted,” he added.
Clickjacking, also known as user interface (UI) redressing, is a type of attack whose purpose is to trick users into performing unauthorized actions by misrepresenting the content displayed in their browsers.
The biggest problem with detecting and blocking clickjacking is that it uses legitimate Web programming techniques to achieve the malicious goal. The most common implementations use CSS code to make content loaded in an iframe invisible and superimpose it on a legitimate-looking element.
The technique has regularly been used in Facebook attacks to trick users into liking spam pages by making the Like button invisible and placing it on top of a button that appeared to do something else.
Over time, browser vendors implemented a special HTTP header called X-Frame-Options that can used by websites to tell browsers not to load certain pages into external iframes. However, Michal Zalewski believes that this protection is insufficient and has developed a proof-of-concept clickjacking attack to prove it.
According to the security researcher, there are other solutions for protecting against a wider scope of clickjacking attacks, but they aren’t popular with browser vendors at the moment because they are more complicated.
The popular NoScript security extension for Firefox is considered good at detecting and blocking clickjacking attacks, but it also has a high false-positive rate. This is not a big issue at the moment, because the add-on is aimed at power users who have enough knowledge to make decisions on their own.
However, implementing something like this directly into a browser that’s used by millions of non-technical individuals is not something vendors are likely to do.