It’s possible to craft a malicious website so that a user’s clicks are secretly redirected to a legitimate site in a way that steals a user’s passwords and other data. Many Web developers have added protections to block the tactic on standard websites, but Stanford University researchers warn that there are not nearly enough defenses against the technique on mobile websites, which are accessed from devices such as the iPhone.
As a result, a smart-phone user could think he’s tapping to check a baseball score but is actually tapping on a button in a hidden page to confirm a money transfer.
Mobile users could be especially vulnerable to such tricks. For one thing, on smart phones, the parts of the user interface that indicate whether a page is secure generally appear in the browser bar, which usually disappears to maximize the screen area. Because the browser usually fills the whole screen of the phone, an attacker can “draw anything he wants on the screen, and the user cannot tell what’s real and what is from the attacker,” says Elie Bursztein, a postdoctoral fellow at the Security Laboratory at Stanford University.
Above all, mobile devices are becoming fatter targets, Bursztein says, because people are spending more time on them and exchanging important data. “People buy things on their phone, they use Facebook and Twitter, and soon enough they will be doing banking on the phone,” he says.
Bursztein and the other Stanford researchers presented their findings at last week’s Workshop on Offensive Technologies (WOOT) workshop. They called the problem “tapjacking,” a reference to “clickjacking,” a term used when the same method of attack is used on a PC browser.
“This is a bunch of small hacks hung together to create a big problem,” says Kevin Mahaffey, chief technology officer of Lookout, a security firm that focuses on mobile devices. “And it will take a lot of concerted effort to solve the problem.”
Clickjacking was described in a 2008 report by two researchers, Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security. They showed how malicious user-interface overlays, typically invisible browser frames that capture a user’s actions, could lead victims to believe they are interacting with one Web page, when in reality their clicks are being captured by a completely different page. The users do not have to have their computers infected with a virus or Trojan. They just have to go to a website that displays content–such as a Flash advertisement–controlled by the attacker.
Browser makers could block the problem by preventing Web pages from accessing other domains. But that would break a lot of features used for legitimate purposes, including advertising. Instead, browser makers have given website developers the ability to allow programming scripts to run only if they come from approved external sites.
Developers also can run “frame-busting” code to prevent a website from creating an invisible frame to display another page. But while some websites have implemented such defenses to prevent clickjacking, sites created specifically for mobile devices rarely have the defenses. The Stanford researchers found frame-busting code on one out of every seven sites that appear in Alexa’s count of the Web’s 500 most popular sites. More than half of Alexa’s top 500 have a specific portal for mobile devices, but only two of those mobile sites had the frame-busting defenses.
“Mobile website security should be taken as seriously as nonmobile website security–otherwise, bad things can happen,” Bursztein says.
In addition to the standard exploits of clickjacking, tapjacking could also enable an attacker to grab the credentials of the user’s home wireless network. From there, an attacker could determine the physical location of the wireless network as well. The technique would be relatively straightforward on phones, says Craig Heffner, a security consultant who presented on home router issues at the recent Black Hat conference.