Studying the mouse for CAD systems
DAC '84 Proceedings of the 21st Design Automation Conference
Protection and communication abstractions for web browsers in MashupOS
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Evaluating visual cues for window switching on large screens
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Who are the crowdworkers?: shifting demographics in mechanical turk
CHI '10 Extended Abstracts on Human Factors in Computing Systems
A solution for the automated detection of clickjacking attacks
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Reining in the web with content security policy
Proceedings of the 19th international conference on World wide web
Improving browser security policies
Improving browser security policies
A Practical Attack to De-anonymize Social Network Users
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
The multi-principal OS construction of the gazelle web browser
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Mediums: visual integrity preserving framework
Proceedings of the third ACM conference on Data and application security and privacy
Protecting sensitive web content from client-side vulnerabilities with CRYPTONS
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
ProClick: a framework for testing clickjacking attacks in web applications
Proceedings of the 6th International Conference on Security of Information and Networks
Securing embedded user interfaces: Android and beyond
SEC'13 Proceedings of the 22nd USENIX conference on Security
| Hi-index | 0.00 |
Clickjacking attacks are an emerging threat on the web. In this paper, we design new clickjacking attack variants using existing techniques and demonstrate that existing clickjacking defenses are insufficient. Our attacks show that clickjacking can cause severe damages, including compromising a user's private webcam, email or other private data, and web surfing anonymity. We observe the root cause of clickjacking is that an attacker application presents a sensitive UI element of a target application out of context to a user (such as hiding the sensitive UI by making it transparent), and hence the user is tricked to act out of context. To address this root cause, we propose a new defense, InContext, in which web sites (or applications) mark UI elements that are sensitive, and browsers (or OSes) enforce context integrity of user actions on these sensitive UI elements, ensuring that a user sees everything she should see before her action and that the timing of the action corresponds to her intent. We have conducted user studies on Amazon Mechanical Turk with 2064 participants to evaluate the effectiveness of our attacks and our defense. We show that our attacks have success rates ranging from 43% to 98%, and our InContext defense can be very effective against the clickjacking attacks in which the use of clickjacking is more effective than social engineering.