Clickjacking Revisited: A Perceptual View of UI Security

Clickjacking is a powerful attack against modern web applications. While browser primitives like X-Frame-Options provide a rigorous defense for simple applications, mashups such as social media widgets require secure user interaction while embedded in an untrusted webpage. Motivated by these application scenarios, the W3C UI safety specification proposes new browser primitives to provide a strong defense against clickjacking attacks on embedded widgets. We investigate whether these proposed primitives provide requisite security against clickjacking. We observe that UI security attacks such as clickjacking are fundamentally attacks on human perception. Revisiting clickjacking from a perceptual perspective, we develop five novel attacks that completely bypass the proposed UI safety specification. Our attacks are powerful with success rates ranging from 20% to 99%. However, they only scratch the surface of possible perceptual attacks on UI security. We discuss possible defenses against our perceptual attacks and find that most defenses either have an unacceptable usability cost or do not provide a comprehensive defense. Finally, we posit that a number of attacks are possible with a more comprehensive study of human perception.