Anatomy of a browser trick - you've heard of "clickjacking", now meet "keyjacking"...

Filed Under: Featured, Internet Explorer, Vulnerability

An Italian security researcher has rediscovered a trick known as user interface redressing.

He's used the concept to detail some potentially risky behaviour in some versions of Internet Explorer on Windows 7 and 8.

As that's a fairly common combination, and because the trick is worth pondering for anyone who likes to be thoughtful about computer security, here's what Rosario Valotta came up with last week.

→ If you've ever been confused by the term UI redress, you aren't alone. To keep it clear, imagine it written as UI re-dress. It means that you put a new layer of clothes over an interface object as a sneaky way of changing its appearance, not that you right the wrongs that were done to it (the usual sense of "redress" when written as an unhyphenated word).

You may remember clickjacking, where your cursor is placed over a clickable button, such as a Facebook Like, that is itself placed over an innocent-looking image.

Then the button is made transparent, so that the image "re-dresses" the button and you think you are clicking on the image.

Valotta's trick is keyjacking, which is like clickjacking but with the re-dressing done the other way around.

You initiate a download window, which, at least under Internet Explorer 8 on Windows 7, produces a Run|Save|Cancel dialog.

You cover up the dialog with a window that looks like a CAPTCHA with R as the first character you need to type in.

Then you remove focus from the foreground window so that if the user does innocently press R, it is fed into the underlying dialog, not into the fake CAPTCHA window.

In IE 8 on Windows 7, that tricks you into choosing the Run option, so the downloaded file is launched automatically, apparently with your official blessing.

→ In clickjacking, you click on a button that is opaque to your mouse (so it accepts and processes your click), but transparent to your eyes. In keyjacking, you type a character into a window that is opaque to your eyes, but transparent to your keyboard (so it passes your keystroke through to a hidden window underneath).

Here's what is supposed to happen in Valotta's demo, starting with the launch page:

If you click the button to launch the demo, it opens a window containing an invisible IFRAME that's populated, using JavaScript, with an EXE file:

Pushing an EXE file into the IFRAME initiates a file download and causes a double popup, the first to denote the start of the download, and the second to ask you whether you'd like to Run, Save or Cancel:

But you can't see any of this, because the window responsible for the download is a pop-under window, re-dressed on top with a window that appears to be asking for input, but isn't:

(In the on-line demo, the field into which you are supposed to enter the CAPTCHA text is actually an animated GIF containing a flashing cursor, for added realism. The CAPTCHA in the demo starts with E, which stands for Esegui, the equivalent of Run on Valotta's Italian-language version of Windows.)

In theory, then, the CAPTCHA acts as a realistic and innocent-looking subterfuge that sneakily tricks you into signalling Run to a dialog you can't see.

In practice, in my tests using a default installation of IE 8 on Windows 7 Enterprise, IE automatically averted the danger by blocking the download with a yellow security bar:

To initiate the download, you have to click on the security bar in the offending window, select the Download File... option from the dropdown menu that appears, and only then click Run or type R:

Since the security bar is out of sight, there doesn't appear to be an easy way to trick you into following that sequence of steps.

And if you're a Firefox user, like me, the subterfuge is immediately obvious, at least with Valotta's demo.

The hidden window doesn't pop up underneath, and both the IFRAME border and the download dialog are clearly visible by default:

(The u are not character string visible in the background is partially-obscured text from the fake CAPTCHA window shown above.)

Valotta says the trick does work under IE 9 and 10 on Windows 7, and IE 10 on Windows 8, so his discussion is nevertheless worth studying, especially if you design web applications for a living.

[NB. Please see Valotta's comment below pointing out my error in an earlier version of this article. Apologies for the misunderstanding.]

It's a timely reminder, in today's web-based AJAX-heavy world, that what you see in your browser may not be precisely what you get, and that JavaScript's windows focus and transparency system are ripe for visual abuse.

Some of the things you can do for additional security include:

  • Turn on as much of your browser's real-time protection (e.g. popup blockers and protected mode) as you can tolerate in order to reduce the risk of unwanted browser windows.
  • Use a web filtering product on your computer or as part of your network gateway in order to block access to suspicious URLs and files.
  • Ensure that your on-access (real-time) virus scanner is turned on in order to stop dangerous downloads from launching, even if they are successfully downloaded.

Image of laptop keyboard courtesy of Shutterstock.

, , , , , , , ,

You might like

11 Responses to Anatomy of a browser trick - you've heard of "clickjacking", now meet "keyjacking"...

  1. Joe · 791 days ago

    I guess another thing you could do is adopt the habit of moving a popup window before clicking anything in it so you can see what, if anything, might be behind it. I know I will from now on.

  2. commenter1 · 791 days ago

    i dont understand much of computer talk but this stuff is genius and amazes me

    • I do understand the computer talk, but I'm still amazed at the kind of mind that can think up the devious stuff. I'm too much of a "rule follower" to come up with this kind of stuff, and it amazes me that some can.

  3. J.Payne · 791 days ago

    People still use I.E. ?

  4. Rosario Valotta · 791 days ago

    Hi Paul,
    I'm sorry but you completely missed the point of my research:
    1- on my slides and on my blog is clearly stated that the one key attack works only for IE 9-10 (win 7) and IE10 on Win 8. So you wasted your time to test and take screenshots for a scenario that doesn't work by design.
    2- my research is in no way related to UI redressing but addresses some issues in notification bars used by the chrome component of major browsers. UI attacks are mainly DOM related while chrome has nothing to share with DOM.

    Please, test it on Win7 with IE10 with the default security and privacy settings (popunder blocking to "average", value) and please let me know.

    Rosario Valotta

    • Paul Ducklin · 791 days ago

      Oops. I'll have to take your word for it for the time being about IE 9-10 until I can test it. Sorry about that. I'm not sure how I mis-read you as saying the results were for IE 8 on Win 7.

      At least we know it *doesn't* work in IE 8 :-)

      But I stand by my observation that this is a form of "UI re-dressing."

      Since you deliberately divert focus and rely on a fake "dialog" (the CAPTCHA) painted on top of the risky one to disguse it and to trick the user into typing in the magic character, I can't really think of a better description than "user interface re-dressing".

      I'm sure you must agree that you are putting a fake layer of clothing over the dialog that, if visible, would make the trick obvious (as it is in Firefox)...

      PS. I have updated the article and added a correction/apology.

  5. Nils · 790 days ago

    I wouldn't be fooled by that animated image showing a flashing cursor. I always click one extra time in the field because my computer tends to lag and put the letters in the wrong box if I don't. I think I have even seen different versions of that trick, but it was too obvious for me to fall for it. Maybe I'm too paranoid ;)

  6. Totie Bash · 790 days ago

    Interesting trickery. It's worth noting and to be aware. Thanks

  7. njorl · 790 days ago

    I don't really want my browser ever to give me the option to run a program file it's down loading. I don't down load stuff I want to run so often that the ten seconds to open my down loads folder and double-click the file is going to eat away my life.

    Anyway, I will usually check my antivirus definitions are up to date and initiate a manual scan of the file, before running it. Moreover (if I'm paying attention), I'll put the file in its own folder, so that it won't drag in any malicious versions of DLLs that have also been down loaded (known as abusing the DLL load order Possibly, the browser's simple click-to-run option will also start the executable from a dedicated folder, but I've not investigated.

    I think difficulty of abuse always has to trump ease of use, in the current environment.

  8. roy jones jr · 785 days ago

    I understand the intention of the 3 options Internet Explorer gives you. In the case of a firmware file or simple plugin you would want to just run it. You would normally save any other executable file. They could remove the 'run' option, but really its just more efficient for us users to go into the internet options and tell the program to always just save a file we are about to download.

    Again, I'd like to stress that any browser will have issues. Didn't Opera just recently have some problems?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog