Anatomy of a browser trick – you’ve heard of “clickjacking”, now meet “keyjacking”…

An Italian security researcher has rediscovered a trick known as user interface redressing.

He’s used the concept to detail some potentially risky behaviour in some versions of Internet Explorer on Windows 7 and 8.

As that’s a fairly common combination, and because the trick is worth pondering for anyone who likes to be thoughtful about computer security, here’s what Rosario Valotta came up with last week.

→ If you’ve ever been confused by the term UI redress, you aren’t alone. To keep it clear, imagine it written as UI re-dress. It means that you put a new layer of clothes over an interface object as a sneaky way of changing its appearance, not that you right the wrongs that were done to it (the usual sense of “redress” when written as an unhyphenated word).

You may remember clickjacking, where your cursor is placed over a clickable button, such as a Facebook Like, that is itself placed over an innocent-looking image.

Then the button is made transparent, so that the image “re-dresses” the button and you think you are clicking on the image.

Valotta’s trick is keyjacking, which is like clickjacking but with the re-dressing done the other way around.

You initiate a download window, which, at least under Internet Explorer 8 on Windows 7, produces a Run|Save|Cancel dialog.

You cover up the dialog with a window that looks like a CAPTCHA with R as the first character you need to type in.

Then you remove focus from the foreground window so that if the user does innocently press R, it is fed into the underlying dialog, not into the fake CAPTCHA window.

In IE 8 on Windows 7, that tricks you into choosing the Run option, so the downloaded file is launched automatically, apparently with your official blessing.

→ In clickjacking, you click on a button that is opaque to your mouse (so it accepts and processes your click), but transparent to your eyes. In keyjacking, you type a character into a window that is opaque to your eyes, but transparent to your keyboard (so it passes your keystroke through to a hidden window underneath).

Here’s what is supposed to happen in Valotta’s demo, starting with the launch page:

If you click the button to launch the demo, it opens a window containing an invisible IFRAME that’s populated, using JavaScript, with an EXE file:

Pushing an EXE file into the IFRAME initiates a file download and causes a double popup, the first to denote the start of the download, and the second to ask you whether you’d like to Run, Save or Cancel:

But you can’t see any of this, because the window responsible for the download is a pop-under window, re-dressed on top with a window that appears to be asking for input, but isn’t:

(In the on-line demo, the field into which you are supposed to enter the CAPTCHA text is actually an animated GIF containing a flashing cursor, for added realism. The CAPTCHA in the demo starts with E, which stands for Esegui, the equivalent of Run on Valotta’s Italian-language version of Windows.)

In theory, then, the CAPTCHA acts as a realistic and innocent-looking subterfuge that sneakily tricks you into signalling Run to a dialog you can’t see.

In practice, in my tests using a default installation of IE 8 on Windows 7 Enterprise, IE automatically averted the danger by blocking the download with a yellow security bar:

To initiate the download, you have to click on the security bar in the offending window, select the Download File... option from the dropdown menu that appears, and only then click Run or type R:

Since the security bar is out of sight, there doesn’t appear to be an easy way to trick you into following that sequence of steps.

And if you’re a Firefox user, like me, the subterfuge is immediately obvious, at least with Valotta’s demo.

The hidden window doesn’t pop up underneath, and both the IFRAME border and the download dialog are clearly visible by default:

(The u are not character string visible in the background is partially-obscured text from the fake CAPTCHA window shown above.)

Valotta says the trick does work under IE 9 and 10 on Windows 7, and IE 10 on Windows 8, so his discussion is nevertheless worth studying, especially if you design web applications for a living.

[NB. Please see Valotta’s comment below pointing out my error in an earlier version of this article. Apologies for the misunderstanding.]

It’s a timely reminder, in today’s web-based AJAX-heavy world, that what you see in your browser may not be precisely what you get, and that JavaScript’s windows focus and transparency system are ripe for visual abuse.

Some of the things you can do for additional security include:

  • Turn on as much of your browser’s real-time protection (e.g. popup blockers and protected mode) as you can tolerate in order to reduce the risk of unwanted browser windows.
  • Use a web filtering product on your computer or as part of your network gateway in order to block access to suspicious URLs and files.
  • Ensure that your on-access (real-time) virus scanner is turned on in order to stop dangerous downloads from launching, even if they are successfully downloaded.

Image of laptop keyboard courtesy of Shutterstock.