clickjacking revisited - black hat briefings · clickjacking revisited a perceptual view of ui...
TRANSCRIPT
![Page 1: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/1.jpg)
Clickjacking Revisited A Perceptual View of UI Security
Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song
University of California, Berkeley
![Page 2: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/2.jpg)
Clickjacking is a malicious technique of tricking a Web user into clicking on something different from what the user perceives (wikipedia)
![Page 3: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/3.jpg)
Five novel clickjacking attacks that
bypass current defenses
Evaluation with 250 users on MTurk
Today
![Page 4: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/4.jpg)
Attack Setup • Attacker wants to trick user into clicking a button, in
our case, the Facebook like button • Attacker convinces user to play a game on attacker
controlled webpage • Attacker can frame the Facebook Like button, but has
no control over the FB display area/frame • Attacker has full control of remaining display area
![Page 5: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/5.jpg)
Attacker page
![Page 6: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/6.jpg)
A successful attack (bypassing current defenses) requires the like button be fully visible for a noticeable amount of time (say ~500ms)
![Page 7: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/7.jpg)
Destabilizing Pointer Perception
![Page 9: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/9.jpg)
Player starts moving mouse
Fake pointer starts moving to the left (red)
Finally, close to the target, player corrects in a sudden
motion, moving the real pointer towards right
Player clicks Like button by mistake
User keeps moving up and right (black), but fake pointer (red) stays left, confusing the user
![Page 10: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/10.jpg)
Successful Attack
• One concern is the appearance of the real pointer when it approaches the like button
– Attacker has no control over “Like” button frame
• Key Idea: distract the player’s attention with lots of moving images
![Page 12: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/12.jpg)
Attacking Peripheral Vision
![Page 14: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/14.jpg)
Player must leave mouse at bottom
of screen
But, watch main game area at
top right
![Page 15: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/15.jpg)
(a)
time
Sensor Blocks Player
![Page 16: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/16.jpg)
pause
(c)
(b)
(a)
time
Sensor Blocks Player
![Page 17: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/17.jpg)
Motor Adaptation
![Page 19: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/19.jpg)
Player presented with asteroid
![Page 20: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/20.jpg)
Asteroid explodes when clicked
Mineral produced at constant
displacement Player must click on this mineral
for points
![Page 21: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/21.jpg)
Once trained, put like button
instead of mineral
![Page 22: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/22.jpg)
Fast Motion Mislocalization
![Page 24: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/24.jpg)
Player presented with asteroid with
spinning arrow
![Page 25: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/25.jpg)
When arrow stop, mineral shoots out
Player must click on mineral for points
![Page 26: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/26.jpg)
The Flash Lag Effect
• Flash lag is a visual illusion where a moving object, at a particular instant, seems further ahead than it actually is
• Brain predicts future displacement
• The player’s click is actually beyond the mineral, but we still award points
![Page 27: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/27.jpg)
After a few trials, put like button beyond mineral
![Page 28: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/28.jpg)
Visual Cues and
Click Timing
![Page 30: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/30.jpg)
Negative points for clicking on grey
asteroid
Positive points for clicking on red
asteroid
![Page 31: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/31.jpg)
Move asteroid under a like button
![Page 32: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/32.jpg)
Evaluation
![Page 33: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/33.jpg)
Evaluation
Attack Name Number of subjects Success Rate (%)
Destabilizing Pointer Perception 50 100
Peripheral Vision 49 51.02
Adaptation 46 28.26
Fast Motion Mislocalization 47 27.66
Visual Cue for timing 50 50
• MTurk study with 50 workers for each attack.
• Some subjects exited before completing the exercise
Attacks 2 through 5 work for touch devices too!
![Page 34: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/34.jpg)
This is only a lower-bound …
![Page 35: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/35.jpg)
• Our attacks are simple. Possible to dynamically adapt the attack as user plays the games.
• Better models of pointer movement and click prediction can improve success rates.
• Each attack targets a different limitation of human perception. A combined attack likely to achieve 100% success.
Complex Attacks
![Page 36: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/36.jpg)
• Human perception is a vast and well studied topic. Many more attacks possible.
• For example, Change Blindness:
– Well studied phenomenon in which user fails to notice difference in two images.
– Attacker can switch in a like button and an appropriately primed user won’t notice.
More Attacks
![Page 37: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/37.jpg)
Future Work
![Page 38: Clickjacking Revisited - Black Hat Briefings · Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University](https://reader030.vdocuments.site/reader030/viewer/2022040910/5e848766c4ef533deb424197/html5/thumbnails/38.jpg)
Future Work
• Secure UI design needs to take human perception in account while designing interfaces
– Changes needed to specifications such as the UI Security specification
• Computer Vision based techniques (or machine perception) could be key for defenses
• Designing a secure user interaction mechanism critical for security