Aggregator
Two Clicks to Chaos: How Double-clickjacking Hands Over Control of Apps without Users Knowing
In our last blog, we discussed how OAuth-based consent phishing attacks have been used to trick users into giving malicious apps the permission to conduct malicious activities via an employee’s account. This attack has been extremely effective due to the lack of awareness of how attackers can misuse OAuth permissions. Now, let’s say we are in an ideal world where with ample security training most employees are now aware of consent phishing and scrupulously reads every OAuth permissions request, will we truly be immune to OAuth identity attacks?
Paulos Yibelo’s recent unveiling of double-clickjacking attacks suggests otherwise. This new attack mechanism exploits the routine double-click action to open up the OAuth screen for a split second in between clicks, deceiving users into authorizing a permission without them even knowing. These screen changes happen so fast that it is impossible for even the most vigilant user to know they have become victims to a double-clickjacking attack.
This article will explore the details on double-clickjacking works, how it’s different from traditional clickjacking and the ultimate question of how do we even stop something that we don’t know is happening?
A Trip Down Memory Lane: Revisiting ClickjackingFor those who have spent some time in security, clickjacking is likely not an unfamiliar term. Clickjacking is a technique attackers use to manipulate users into clicking on something different from what they perceive. This could involve tactics such as embedding disguised/ invisible buttons, manipulating iframe layers or cursorjacking, where the attacker alters the position of the cursor such that the cursor’s real position is different from what users see.
How have we dealt with clickjacking?From Facebook’s likejacking attacks to Twitter’s war against clickjackers, the early 2010s saw a slew of clickjacking attacks targeting major social media platforms and brands. Since then, clickjacking has largely become solvable in two ways:
- From the user side (Same Site: Lax) — most modern browsers now prevent cross-site cookies with the “Same Site: Lax” setting. This cookie setting allows cookies to be sent for top-level navigations (e.g. by clicking links or typing URLs), but does not send cookies to third-party sites or embedded elements. For example, if a user navigates from origin.com to example.com directly, the cookie will be sent. However, if example.com was loaded inside an iframe on a third-party website, or if the request is made from a script embedded on another site, the cookie will not be sent.
- From the app/website developer side (X-Frame-Options) — website developers have also leveraged the X-Frame Options header to control how their web page can be embedded within an iframe or other frame-based elements on another website. For example, DENY blocks any framing and SAMEORIGIN only allows for the page to be framed by the same domain. This helps prevent their brand or app from being used to manipulate victims in a clickjacking attack.
Given that current security measures used to tackle clickjacking work by controlling embedded elements or cross-site interactions, they do not address double-clickjacking, which manipulates user interactions with elements on the same page and often does not rely on embedding.
The Impact of Double-clickjackingAs double-clickjacking can work on pretty much any website, there are countless ways in which attackers can leverage this technique. Some examples include:
- Provide malicious apps access to SaaS accounts to:
- Write and send malicious emails on the user’s behalf
- Copy, delete or hold a developer’s code hostage
- Read all the documents stored on sites like OneDrive and GoogleDrive
- Observe live feeds of video streaming platforms like Google Meets
- Publish malicious updates to an extension/app on official stores
2. Authorize payments from a e-wallet or digital payments platform
3. Change/disable account security settings
4. Submit forms containing credentials or sensitive data
5. Delete accounts and/or sensitive data
How Double-clickjacking OAuth Attacks WorksTo illustrate how double-clickjacking works, this article will focus on OAuth attacks and an example. Here is a typical sequence of double-clickjacking used in an OAuth identity attack:
- An employee lands on an attacker’s website. We will call this the “parent window”.
- The employee clicks on a button, which opens up a new window, the “child window”, which contains a prompt for the user to double-click.
- When the child window opens, it utilizes window.opener.location function to prompt the parent window to navigate to the target OAuth page.
- When the user double clicks, the following happens:
- The first click triggers a mouse-down event which closes the child window, exposing the parent window.
- The second click accepts the scope/permissions requested via OAuth by the malicious app.
The button on the child window is positioned such that it is right on top of the “accept” button on the OAuth page. The double-click motion is so fast that users frequently don’t even realize that they gave authorized access to a malicious app. As seen above, no iframes or cross-site authentications were involved in this sequence. Thus, double-clickjacking attacks are completely unaffected by current measures used to defend against clickjacking attacks.
Preventing Double-clickjacking AttacksIf traditional measures don’t work, how can one defend against double-clickjacking attacks? Given that it is impossible to ban double-clicks, the answer resides in preventing what the attack is intended to do.
Using the OAuth attack as an example, security teams can prevent malicious apps from accessing employee accounts by blocking all OAuth permission granting for unauthorized apps. The video below showcases how SquareX’s Browser Detection and Response (BDR) solution can monitor and control all OAuth requests to corporate apps like GitHub.
https://medium.com/media/1f8e75d52056c7a4103d795ab9c4a12e/href
Introducing the BDRSquareX’s Browser Detection and Response (BDR) solution goes beyond just protecting against consent phishing and identity-based attacks. SquareX’s industry-first BDR solution detects, mitigates and threat-hunt client-side web attacks targeting employees in real time. The solution comes in the form of a lightweight browser extension that can be deployed to existing browsers via a simple group policy.
We believe that there are three key components required when it comes to securing the browser:
- Web Threat Detection & Mitigation including identity attacks, malicious sites & scripts, malicious browser extensions and malicious files
- Browser DLP including genAI DLP, clipboard DLP, file DLP and insider attacks
- Private App Access to provide secure access to web applications and private apps via the browser, including for BYOD/unmanaged devices
Two Clicks to Chaos: How Double-clickjacking Hands Over Control of Apps without Users Knowing was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Two Clicks to Chaos: How Double-clickjacking Hands Over Control of Apps without Users Knowing appeared first on Security Boulevard.
Two Clicks to Chaos: How Double-clickjacking Hands Over Control of Apps without Users Knowing
CVE-2023-52767 | Linux Kernel up to 6.6.3 tls_sw_splice_eof null pointer dereference (944900fe2736/2214e2bb5489/53f2cb491b50)
CVE-2023-52766 | Linux Kernel up to 5.15.139/6.1.63/6.5.12/6.6.2 mipi-i3c-hci hci_dma_irq_handler out-of-bounds
CVE-2023-52770 | Linux Kernel up to 6.5.12/6.6.2 f2fs dump_stack.c null pointer dereference (9de787139b02/d83309e7e006/f803982190f0)
CVE-2023-52873 | Linux Kernel up to 6.6.1 clk-mt6779 mtk_alloc_clk_data null pointer dereference
CVE-2023-52875 | Linux Kernel up to 6.6.1 clk-mt2701 mtk_alloc_clk_data null pointer dereference
CVE-2023-52876 | Linux Kernel up to 6.6.1 mtk_alloc_clk_data null pointer dereference
CVE-2023-52877 | Linux Kernel up to 5.15.137/6.1.61/6.5.10/6.6.0 typec tcpm_pd_svdm null pointer dereference
CVE-2023-52744 | Linux Kernel up to 5.15.93/6.1.11 in_dev_get null pointer dereference (8f5fe1cd8e6a/360682fe7df2/5d9745cead1f)
CVE-2021-47490 | Linux Kernel up to 5.4.156/5.4.157/5.10.76/5.10.77/5.14.15 drm ttm_transfered_destroy memory leak
CVE-2023-52749 | Linux Kernel up to 6.1.65/6.6.2 spi_sync null pointer dereference (4ec4508db975/96474ea47dc6/bef4a48f4ef7 / Nessus ID 212042)
CVE-2023-52751 | Linux Kernel up to 6.5.12/6.6.2 SMB Client smb2_query_info_compound use after free (6db94d08359c/93877b9afc29/5c86919455c1 / Nessus ID 211654)
CVE-2023-52757 | Linux Kernel up to 6.1.63/6.5.12/6.6.2 SMB Client release_mid use after free (Nessus ID 209785)
CVE-2023-52741 | Linux Kernel up to 5.10.167/5.15.93/6.1.11 read_into_pages use after free (Nessus ID 209785)
Qiko大模型一体机重磅发布,AI强力赋能取证
Qiko大模型一体机重磅发布,AI强力赋能取证
为进一步提升新质公安战斗力,以人工智能技术强势赋能取证领域的变革,美亚柏科Qiko+再上新,重磅推出Qiko大模型一体机。深度融合大模型能力与取证数据,为智能取证业务开辟全新纪元!
Qiko大模型一体机是一款专为取证实验室打造的智慧大脑和算力中心,在电子取证数据分析中,赋能实验室的取证和分析装备,对案件及检材进行深度智能分析,包括嫌疑人特征刻画、涉案聊天记录分析、文档归类等;实现图片、视频、音频、文本等多维数据的融合分析,该多模态数据融合分析能力,能极大地提升取证效率,拓展案件分析深度和广度,助力执法人员从海量数据中快速定位关键信息。
产品亮点
一 真智能:快、准、深
01 直观展示关注线索
通过大模型的语义理解能力,系统能够自动识别与案件相关的可疑网址、可疑应用、涉案图片等信息,帮助分析人员一目了然把握案件脉络,提高工作效率。
02 深度挖掘关联线索
通过大模型的语义理解和实体关系抽取等技术,从海量聊天记录、文档中自动定位到涉案线索(主流案件类型分析结果准确高达90%以上),自动关联对应的图片、音频、视频等非结构化信息,融合形成完整证据链条,为案件调查提供新的视角和方向。包括以下能力:
·AI聊天分析:快速分析定位涉案的聊天内容,刻画关键信息,通过群亲密关系、群发言活跃度、群发言发布定位到关联人员,并进一步溯源和研判。
·AI识别涉案文档:通过分析文档的内容,自动将繁杂的文档进行归类,根据不同案件类型推出对应的涉案文档,减少用户的分析时间。
·AI多语言翻译: 支持英语、韩语、日语等200多种语言的离线翻译,支持快速检索和溯源。
·AI识别语音:支持从英语、汉语、日语等20种音频中提取文本内容,支持快速检索和溯源。
·AI图片分类:支持包含人脸、车辆等160种图片智能识别和分类。
·AI识别图片内容:支持证件类OCR识别、通用图像OCR识别,包括处理倾斜、旋转或不规则排列的文字。
·AI识别二维码:支持包括标准QR码、Data Matrix码和PDF417码等类型的二维码。
·AI识别网址:支持贷款、色情、博彩等上百种网站类型的识别。
·AI识别实体信息:支持包括身份证等实体的智能识别和挖掘。
·AI识别视频内容:实现视频内容的全面文本化处理。
03 精准刻画行为规律
结合大模型+大数据的分析技术,系统能够精准分析涉案人员的行为模式,挖掘其活动规律,为案件侦破提供科学依据,提升侦破效率。
04 灵活检索海量数据
通过大模型的多模态融合能力,大模型一体机提供高效的数据检索能力,支持关键词、时间轴、以文搜图、以图搜图、二次检索、批量检索等多种检索方式,让信息检索变得简单快捷。
二 真好用:每个人都能用
01 集成自主研发的Qiko智能平台
数据不出域,随时随地轻松使用大模型;根据实际需求,快速配置个性化分析逻辑,实现高度定制化的行业智能体。
02 内置国内首个公共安全行业大模型
基于更广泛公共安全数据训练而成,能够对复杂多变的公共安全场景进行精准分析,集成更贴近实战的取证知识库。
三 真酷炫:实验室科技范
01 高集成高性能
采用软硬件一体化设计,确保高性能运算的同时,简化了部署与维护流程,为执法部门提供即插即用的便捷体验。
02 低嗓音低温度
采用液冷静音的散热方式,散热性能出色,运行稳定,可脱离机房使用。
若需了解或采购该产品,可联系本地销售或扫描下方二维码填写相关需求