PayPal researcher proposes technique to thwart clickjacking attacks

PayPal researcher, Brad Hill, argues that a combination of a randomized user interface (UI) and a backend screenshot comparison tool could put an end to clickjacking attacks
PayPal researcher, Brad Hill, argues that a combination of a randomized user interface (UI) and a backend screenshot comparison tool could put an end to clickjacking attacks

In clickjacking, a hacker tries to trick the victim into clicking on malicious web links without realizing he or she is doing so. This could result in the hacker being able to take control of the victim’s computer. Clickjacking is increasingly being used to trick users of Facebook and other social media into clicking on malicious links.

The mitigation technique, called “adaptive UI randomization”, combines randomized changes to UI elements with statistical analysis of first click success provided by screenshot comparison tools, Hill explained in a paper published earlier this month.

“Though not a general purpose solution to clickjacking, the method requires no modifications to existing web user agents and is applicable to many of the most widely deployed and commonly attacked use cases for which no other mitigations currently exist. The technique can also be effectively combined with client-side approaches to enhance the effectiveness of both”, Hill wrote in the paper.

Brian Donohue cautioned in a Threatpost blog that IU randomization has been tried for a number of years to combat clickjacking attacks. “However, it has a number of limitations. Randomizing the layout of a user interface can lead to poor user experiences, among other things. In addition, randomization alone still allows for clickjackers to enjoy a reasonable rate of success with their attacks.”
 

What’s hot on Infosecurity Magazine?