Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Anatomy of a browser trick - you've heard of "clickjacking", now meet


01 Jul 2013   #1

Microsoft Community Contributor Award Recipient

Windows 7 Home Premium x64 SP1
 
 
Anatomy of a browser trick - you've heard of "clickjacking", now meet

Anatomy of a browser trick - you've heard of "clickjacking", now meet "keyjacking"...

Quote:
An Italian security researcher has rediscovered a trick known as user interface redressing.

He's used the concept to detail some potentially risky behaviour in some versions of Internet Explorer on Windows 7 and 8.

As that's a fairly common combination, and because the trick is worth pondering for anyone who likes to be thoughtful about computer security, here's what Rosario Valotta came up with last week.
Source

A Guy


My System SpecsSystem Spec
.

02 Jul 2013   #2

Windows 7 64-bit, Windows 8.1 64-bit, OSX Maverick
 
 

This did not work in my system with IE10 on Windows 7...

On the demo page clicking on the "Start" did load up the CAPTCHA and popped up two download windows under but outside of the CAPTCHA page; the two download windows looked like one, they were popped to the same place. The file named "CosmicBreak_BR_setup.exe" was downloaded twice to the IE temp folder and the only option given is to view downloads by both windows.

Filling in the CAPTCHA information starting by the letter "e", or "r", did not trigger running the file. As the matter of fact, typing didn't seem to have any effect at all, since the letters typed did not show.

The installation of the "Cosmic..." whatever can be started manually, the interface is in Italian.

The Enhanced Protect Mode, or EPM, may have been the one that prevented the passing of the "run" command to the download windows. The EPM basically sandboxes each tabs of IE10 that could prevent passing instructions between tabs, or to a new window.

Bypassing IE download warning is nothing new, it existed since IE6, or earlier...
My System SpecsSystem Spec
02 Jul 2013   #3

W7 Pro SP1 64bit
 
 

Quote   Quote: Originally Posted by Cr00zng View Post
~~~
Filling in the CAPTCHA information starting by the letter "e", or "r", did not trigger running the file.
~~~
Typing the letter "v" (for view) brought up the list of downloaded files.. But typing "r" into the captcha field after the list of downloads appears did not invoke run. I wonder how the researcher had the system setup.

Anatomy of a browser trick - you've heard of "clickjacking", now meet-pop-under1.png


Or, just set pop-up blocking to high and avoid this issue all together.

Name:  pop-under2.png
Views: 2
Size:  13.8 KB


Quote   Quote: Originally Posted by Cr00zng View Post
~~~
As the matter of fact, typing didn't seem to have any effect at all, since the letters typed did not show.
~~~
The captcha field is fake - so this is to be expected. What I did not know: letters typed into the window that has focus are sent to a window that does not have focus - sad.


My System SpecsSystem Spec
.


03 Jul 2013   #4

Windows 7 64-bit, Windows 8.1 64-bit, OSX Maverick
 
 

I am not certain, if typing "v" does anything. The download does start without confirmation from the user in a new window where the background is white:

Name:  dwnload5.jpg
Views: 1
Size:  28.7 KB

Once the downloads have completed, the background does turn yellow, regardless of the letter typed in the CAPTCHA page:

Name:  dwnload4.jpg
Views: 1
Size:  14.3 KB

Claiming that this keyjacking works with IE 9, 10 on Windows 7 might be just smoke screen. Especially when the meta tag in the source code of the page instructs IE10 to treat the page as IE7:

Code:
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7"/>
While IE10 can emulate how IE7 processes web pages, it is doubtful that the emulation changes the security settings from IE10 to IE7 on the fly.

The "pop under" is made possible by a java script and it is easy to use:

Code:
<script>
function loadpopunder(){
win3=window.open('testHIP.html','','top=0, left=0,width=500,height=500');
Popping under the download window to the top left corner could easily be changed to inherit the coordinates of the initiating browser window, or just make the width/height=1, which would be the case with an actual exploit.

And just to state the obvious.... Java not installed and/or disabled renders keyjacking useless...


My System SpecsSystem Spec
03 Jul 2013   #5

W7 Pro SP1 64bit
 
 

As far as I know, in IE9 and above, all downloads start once requested (e.g. clicking on the Start button). A download continues in the background while the user is doing other things (e.g. perhaps navigating to and selecting the folder for the file to be automatically moved to once the download to the temp location has completed). I like this feature :-)

Typing "v" should cause the window to appear that shows the list of downloads... but only if the main window is physically over top of one of the pop-under windows and only if you actually type in the top window (e.g. cannot use the on-screen keyboard - like I sometimes do for videos).

There is a lag between reality and what Task Manager shows, but it did not seem to matter if I typed "v" as soon as I could or if I waited for the downloads to complete. As long as the main window was overlapping one of the pop-under windows, the "v" was sent to a pop-under window. I had not seen this done before and it does not seem like a good thing to me.

IE10 64bit with 64bit tabs enabled - no Java.
My System SpecsSystem Spec
03 Jul 2013   #6

Win 7 Pro 64-bit 7601
 
 

Quote   Quote: Originally Posted by from a comment in the article, from the researcher himelf
Please, test it on Windows 7 with IE10 with the default security and privacy settings (popunder blocking to "average", value) and please let me know.
Works if I do this. Does not work if I keep my usual IE settings. Being browser-dependent it does nothing on Firefox and Chrome (that simply popup the "hey I've got a file for you, want to download it?" dialog box), as expected.

Sounds like a security patch is in order.
Quote:
Java not installed and/or disabled renders keyjacking useless...
Yeah, but that means you can't play facebook games. Remember that this is an issue for average users, not a "OMG IE10 IS AN OPEN DOOR LIKE IE6" issue.

Sounds also relatively easy to fix.
My System SpecsSystem Spec
03 Jul 2013   #7

W7 Pro SP1 64bit
 
 

I do not see where Java has anything to do with this. The demo page does not load Java. The demo page does use Javascript - but that has nothing to do with the Java run-time environment being installed and/or disabled.

And like that commenter, I too keep IE set to block all popups. I don't even let IE tell me when it has blocked a popup.
My System SpecsSystem Spec
04 Jul 2013   #8

Windows 7 64-bit, Windows 8.1 64-bit, OSX Maverick
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
I do not see where Java has anything to do with this. The demo page does not load Java. The demo page does use Javascript - but that has nothing to do with the Java run-time environment being installed and/or disabled.
You are correct, the java script works even if the java plugin disabled...
Quote   Quote: Originally Posted by UsernameIssues View Post
....
Typing "v" should cause the window to appear that shows the list of downloads... but only if the main window is physically over top of one of the pop-under windows and only if you actually type in the top window (e.g. cannot use the on-screen keyboard - like I sometimes do for videos).
...
On my system, typing "v" does not bring up the list of downloads regardless of the main window's position. My system does have EPM enabled, has EMET 4.0 running, but other than that, the browser configuration is pretty much set at defaults. And no, my desktop does not have a virtual keyboard.

And yes, I also like how IE handles downloads that displays the download status overlaid on the bottom of the browser window:

Anatomy of a browser trick - you've heard of &quot;clickjacking&quot;, now meet-dwnload.jpg

Once the download has completed, it asks what to do:

Anatomy of a browser trick - you've heard of &quot;clickjacking&quot;, now meet-dwnload2.jpg

Downloads that are different from this standard behavior of downloading files, such as this alleged "keyjacking", should be treated as malicious anyway...


My System SpecsSystem Spec
Reply

 Anatomy of a browser trick - you've heard of "clickjacking", now meet




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 03:27 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33