{"id":16174,"date":"2019-08-27T10:10:03","date_gmt":"2019-08-27T18:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/08\/27\/news-9917\/"},"modified":"2019-08-27T10:10:03","modified_gmt":"2019-08-27T18:10:03","slug":"news-9917","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/08\/27\/news-9917\/","title":{"rendered":"Study explores clickjacking problem across top Alexa-ranked websites"},"content":{"rendered":"

Credit to Author: Christopher Boyd| Date: Tue, 27 Aug 2019 17:36:52 +0000<\/strong><\/p>\n

Clickjacking<\/a> has been around for a long time, working hand-in-hand with the unwitting person doing the clicking to send them to parts unknown\u2014often at the expense of site owners. Scammers achieve this by hiding the page object the victim thinks<\/em> they\u2019re clicking on under a layer (or layers) of obfuscation. Invisible page elements like buttons, translucent boxes, invisible frames, and more are some of the ways this attack can take place.<\/p>\n

Despite being an old tool, clickjacking is becoming a worsening problem on the web. Let’s explore how clickjacking works, recent research on clickjacking, including the results of a study examining the top 250,000 Alexa-ranked websites, and other ways in which researchers and site owners are trying to better protect users from this type of attack.<\/p>\n

Laying the groundwork<\/h3>\n

There are many targets of clickjacking.\u00a0<\/span><\/p>\n

Cursors, cookies, files, even your social media likes. Traditionally, an awful lot of clickjacking relates to adverts and fraudulent money making. In the early days of online ad programs, certain keywords that brought a big cash return for clicks became popular targets for scammers. Where they couldn\u2019t get people to unintentionally click on an ad, they\u2019d try to automate the process instead.<\/p>\n

Here\u2019s an example from 2016, playing on the seemingly never-ending European cookie law messages<\/a> on every website ever. Pop a legitimate ad, make it invisible, and overlay it across a Cookie pop-up. At that point, it\u2019s unintentional advert time.<\/p>\n

This is not to say clickjacking techniques are stagnant; here\u2019s a good example<\/a> of how these attacks are tough to deal with.<\/p>\n

Clickjacking: back in fashion<\/h3>\n

There\u2019s a lot of clickjack-related activity taking place at the moment, so researchers are publishing their works and helping others take steps to secure browsers.<\/p>\n

One of those research pieces is called All your clicks belong to me: investigating click interception on the web<\/a>, focusing on JavaScript-centric URL access. I was hoping the recording of the talk from USENIX Security Symposium<\/a> would be available to link in this blog, but it\u2019s not currently online yet\u2014when it is, I\u2019ll add it. The talk is all about building a way to observe possible clickjack activity on some of the most popular websites in the world and reporting back with the findings.<\/p>\n

Researchers from a wide variety of locations and organisations pooled resources and came up with something called \u201cObserver,\u201d a customised version of Chromium, the open-source browser. With it, they can essentially see under the hood of web activity and tell at a glance the point of origin of URLs from every link.<\/p>\n

As per the research paper, Observer focuses on three actions JavaScript code may perform in order to intercept a click:<\/p>\n