Skip to Content

Mobile Flaw Could Cloak Clicks

Researchers demonstrate that mobile phones are exceptionally vulnerable to a browser bait and switch.
August 17, 2010

It’s possible to craft a malicious website so that a user’s clicks are secretly redirected to a legitimate site in a way that steals a user’s passwords and other data. Many Web developers have added protections to block the tactic on standard websites, but Stanford University researchers warn that there are not nearly enough defenses against the technique on mobile websites, which are accessed from devices such as the iPhone.

As a result, a smart-phone user could think he’s tapping to check a baseball score but is actually tapping on a button in a hidden page to confirm a money transfer.

Mobile users could be especially vulnerable to such tricks. For one thing, on smart phones, the parts of the user interface that indicate whether a page is secure generally appear in the browser bar, which usually disappears to maximize the screen area. Because the browser usually fills the whole screen of the phone, an attacker can “draw anything he wants on the screen, and the user cannot tell what’s real and what is from the attacker,” says Elie Bursztein, a postdoctoral fellow at the Security Laboratory at Stanford University.

Above all, mobile devices are becoming fatter targets, Bursztein says, because people are spending more time on them and exchanging important data. “People buy things on their phone, they use Facebook and Twitter, and soon enough they will be doing banking on the phone,” he says.

Bursztein and the other Stanford researchers presented their findings at last week’s Workshop on Offensive Technologies (WOOT) workshop. They called the problem “tapjacking,” a reference to “clickjacking,” a term used when the same method of attack is used on a PC browser.

“This is a bunch of small hacks hung together to create a big problem,” says Kevin Mahaffey, chief technology officer of Lookout, a security firm that focuses on mobile devices. “And it will take a lot of concerted effort to solve the problem.”

Clickjacking was described in a 2008 report by two researchers, Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security. They showed how malicious user-interface overlays, typically invisible browser frames that capture a user’s actions, could lead victims to believe they are interacting with one Web page, when in reality their clicks are being captured by a completely different page. The users do not have to have their computers infected with a virus or Trojan. They just have to go to a website that displays content–such as a Flash advertisement–controlled by the attacker.

Browser makers could block the problem by preventing Web pages from accessing other domains. But that would break a lot of features used for legitimate purposes, including advertising. Instead, browser makers have given website developers the ability to allow programming scripts to run only if they come from approved external sites.

Developers also can run “frame-busting” code to prevent a website from creating an invisible frame to display another page. But while some websites have implemented such defenses to prevent clickjacking, sites created specifically for mobile devices rarely have the defenses. The Stanford researchers found frame-busting code on one out of every seven sites that appear in Alexa’s count of the Web’s 500 most popular sites. More than half of Alexa’s top 500 have a specific portal for mobile devices, but only two of those mobile sites had the frame-busting defenses.

“Mobile website security should be taken as seriously as nonmobile website security–otherwise, bad things can happen,” Bursztein says.

In addition to the standard exploits of clickjacking, tapjacking could also enable an attacker to grab the credentials of the user’s home wireless network. From there, an attacker could determine the physical location of the wireless network as well. The technique would be relatively straightforward on phones, says Craig Heffner, a security consultant who presented on home router issues at the recent Black Hat conference.

Keep Reading

Most Popular

Geoffrey Hinton tells us why he’s now scared of the tech he helped build

“I have suddenly switched my views on whether these things are going to be more intelligent than us.”

Meet the people who use Notion to plan their whole lives

The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.

Learning to code isn’t enough

Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.

Deep learning pioneer Geoffrey Hinton has quit Google

Hinton will be speaking at EmTech Digital on Wednesday.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.