We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Mobile Flaw Could Cloak Clicks

Researchers demonstrate that mobile phones are exceptionally vulnerable to a browser bait and switch.

It’s possible to craft a malicious website so that a user’s clicks are secretly redirected to a legitimate site in a way that steals a user’s passwords and other data. Many Web developers have added protections to block the tactic on standard websites, but Stanford University researchers warn that there are not nearly enough defenses against the technique on mobile websites, which are accessed from devices such as the iPhone.

As a result, a smart-phone user could think he’s tapping to check a baseball score but is actually tapping on a button in a hidden page to confirm a money transfer.

This story is part of our July/August 2010 Issue
See the rest of the issue

Mobile users could be especially vulnerable to such tricks. For one thing, on smart phones, the parts of the user interface that indicate whether a page is secure generally appear in the browser bar, which usually disappears to maximize the screen area. Because the browser usually fills the whole screen of the phone, an attacker can “draw anything he wants on the screen, and the user cannot tell what’s real and what is from the attacker,” says Elie Bursztein, a postdoctoral fellow at the Security Laboratory at Stanford University.

Above all, mobile devices are becoming fatter targets, Bursztein says, because people are spending more time on them and exchanging important data. “People buy things on their phone, they use Facebook and Twitter, and soon enough they will be doing banking on the phone,” he says.

Bursztein and the other Stanford researchers presented their findings at last week’s Workshop on Offensive Technologies (WOOT) workshop. They called the problem “tapjacking,” a reference to “clickjacking,” a term used when the same method of attack is used on a PC browser.

“This is a bunch of small hacks hung together to create a big problem,” says Kevin Mahaffey, chief technology officer of Lookout, a security firm that focuses on mobile devices. “And it will take a lot of concerted effort to solve the problem.”

Clickjacking was described in a 2008 report by two researchers, Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security. They showed how malicious user-interface overlays, typically invisible browser frames that capture a user’s actions, could lead victims to believe they are interacting with one Web page, when in reality their clicks are being captured by a completely different page. The users do not have to have their computers infected with a virus or Trojan. They just have to go to a website that displays content–such as a Flash advertisement–controlled by the attacker.

Browser makers could block the problem by preventing Web pages from accessing other domains. But that would break a lot of features used for legitimate purposes, including advertising. Instead, browser makers have given website developers the ability to allow programming scripts to run only if they come from approved external sites.

Developers also can run “frame-busting” code to prevent a website from creating an invisible frame to display another page. But while some websites have implemented such defenses to prevent clickjacking, sites created specifically for mobile devices rarely have the defenses. The Stanford researchers found frame-busting code on one out of every seven sites that appear in Alexa’s count of the Web’s 500 most popular sites. More than half of Alexa’s top 500 have a specific portal for mobile devices, but only two of those mobile sites had the frame-busting defenses.

“Mobile website security should be taken as seriously as nonmobile website security–otherwise, bad things can happen,” Bursztein says.

In addition to the standard exploits of clickjacking, tapjacking could also enable an attacker to grab the credentials of the user’s home wireless network. From there, an attacker could determine the physical location of the wireless network as well. The technique would be relatively straightforward on phones, says Craig Heffner, a security consultant who presented on home router issues at the recent Black Hat conference.

Keep up with the latest in Security at Business of Blockchain 2019.

May 2, 2019
Cambridge, MA

Register now
Want more award-winning journalism? Subscribe to All Access Digital.
  • All Access Digital {! insider.prices.digital !}*

    {! insider.display.menuOptionsLabel !}

    The digital magazine, plus unlimited site access, our online archive, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    Digital magazine (6 bi-monthly issues)

    Access to entire PDF magazine archive dating back to 1899

    The Download: newsletter delivered daily

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.