Clickjacking Revisited: A Perceptual View of UI Security

Presented at Black Hat USA 2013, July 31, 2013, 3:30 p.m. (60 minutes)

We revisit UI security attacks (such as clickjacking) from a perceptual perspective and argue that limitations of human perception make UI security difficult to achieve. We develop five novel attacks that go beyond current UI security defenses. Our attacks are powerful with a 100% success rate in one case. However, they only scratch the surface of possible perceptual attacks on UI security. We discuss possible defenses against our perceptual attacks and find that possible defenses either have an unacceptable usability cost or do not provide a comprehensive defense. Finally, we posit that a number of attacks are possible with a more comprehensive study of human perception.

Presenters:

• Devdatta Akhawe
  Devdatta is a graduate student studying how to build better and more secure systems at UC Berkeley. In the past, he has interned at Mozilla, Microsoft (MSRC), Yahoo! Labs, and Microsoft Research. More information about his research as well as how to pronounce his name, at his home page: https://www.cs.berkeley.edu/~devdatta

Links:

• https://www.blackhat.com/us-13/archives.html#Akhawe
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Clickjacking Revisted - A Perceptual View of UI Security.mp4
• https://www.youtube.com/watch?v=XvVSYFH61lw
• https://media.blackhat.com/us-13/US-13-Akhawe-Clickjacking-Revisited-A-Perceptual-View-of-UI-Security-Slides.pdf

Similar Presentations:

• Black Hat Asia 2014 / UI Redressing Attacks on Android Devices Revisited
• HOPE 2020 Virtual Rescheduled / How to Develop a Map Based UI Using Javascript
• Black Hat USA 2017 / Cloak & Dagger: From Two Permissions to Complete Control of the UI Feedback Loop