Kaminsky Creates Clickjacking-Killer

  /     /     /  
Publicated : 22/11/2024   Category : security


Kaminsky Creates Clickjacking-Killer


Famed white-hat hacker proposes a fix for longtime Web attack vector.



DEF CON 23 -- Las Vegas -- Renowned security expert Dan Kaminsky here this week unveiled his latest project: a solution to eradicate so-called clickjacking attacks that plague the Web.
Kaminsky hopes to have his IronFrame approach support the World Wide Web Consortiums (W3C) UI Security specification, and ultimately ensure that clicking on compromised ads and other outside content on a website doesnt silently redirect users to malicious websites in clickjacking attacks. Clickjacking is where concealed and malicious content and links on a website are layered atop legitimate ones, unbeknownst to the user and the website operator.
We have this problem where, because of the Web security model, you dont actually know whats on your web page. You just pull resources in from around the Net, Kaminsky said in an interview prior to his DEF CON 23 presentation here. This [content] might be good, bad; maybe … by someone modifying it. This entire class of attacks is called clickjacking.
With IronFrame, Kaminsky says hes using the browsers graphics model to present the right stuff to the user rather than the modified content injected by cyber criminals. A PayPal box saying Want to spend $1000? could be altered with an icon atop it that changes the link to say $1, for example, he says.
IronFrame operates like a Jenga building-block model, moving the bottom layer of graphics content to the top layer so the browser doesnt even see the phony and malicious layer. It’s a way to end clickjacking by design, he says.
Its never been clear how to efficiently validate what the user sees on the page, he says. What Im showing is that if you move the obscured layer to the top of the stack -- after JavaScript but before the GPU -- you can know what the user sees.
The browser to date doesnt even necessarily know what content is being presented to the user, he says. The browser says, hey, GPU: go render this and you figure it out, Kaminsky explains.
Kaminskys solution basically ensures that the original content is rendered by the browser, not any content layered atop it by bad guys.
Kaminsky, who is chief scientist with WhiteOps Security, also built a JavaScript-based CPU monitor that illuminates how when web pages load slowly, its often due to content hidden within a rogue iFrame.
Hackers can fix things. We dont just break things, he says. I like looking at how things actually work and taking that knowledge and using it to make things better.
Were hackers: were not afraid to get into how things work. Lets use that knowledge and fearlessness and make things work better, he says.
Kaminsky says his open-source project is in the early stages. I dont have it perfectly  yet, he says.
My goal is to go to a Blink developer [for example] and say we need this, its feasible, heres a string, a beginning to build on, he says.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Kaminsky Creates Clickjacking-Killer