It’s possible to craft a malicious website so that a user’s clicks are secretly redirected to a legitimate site in a way that steals a user’s passwords and other data. Many Web developers have added protections to block the tactic on standard websites, but Stanford University researchers warn that there are not nearly enough defenses against the technique on mobile websites, which are accessed from devices such as the iPhone.
As a result, a smart-phone user could think he’s tapping to check a baseball score but is actually tapping on a button in a hidden page to confirm a money transfer.
Mobile users could be especially vulnerable to such tricks. For one thing, on smart phones, the parts of the user interface that indicate whether a page is secure generally appear in the browser bar, which usually disappears to maximize the screen area. Because the browser usually fills the whole screen of the phone, an attacker can “draw anything he wants on the screen, and the user cannot tell what’s real and what is from the attacker,” says Elie Bursztein, a postdoctoral fellow at the Security Laboratory at Stanford University.
Above all, mobile devices are becoming fatter targets, Bursztein says, because people are spending more time on them and exchanging important data. “People buy things on their phone, they use Facebook and Twitter, and soon enough they will be doing banking on the phone,” he says.
Bursztein and the other Stanford researchers presented their findings at last week’s Workshop on Offensive Technologies (WOOT) workshop. They called the problem “tapjacking,” a reference to “clickjacking,” a term used when the same method of attack is used on a PC browser.
“This is a bunch of small hacks hung together to create a big problem,” says Kevin Mahaffey, chief technology officer of Lookout, a security firm that focuses on mobile devices. “And it will take a lot of concerted effort to solve the problem.”