Out of the dark: UI redressing and trustworthy events

Abstract

Web applications use trustworthy events consciously triggered by a human user (e.g., a left mouse click) to authorize security-critical changes. Clickjacking and UI redressing (UIR) attacks trick the user into triggering a trustworthy event unconsciously. A formal model of Clickjacking was described by Huang et al. and was later adopted by the W3C UI safety specification. This formalization did not cover the target of these attacks, the trustworthy events. We provide the first extensive investigation on this topic and show that the concept is not completely understood in current browser implementations. We show major differences between widely-used browser families, even to the extent that the concept of trustworthy events itself becomes unrecognizable. We also show that the concept of trusted events as defined by the W3C is somehow orthogonal to trustworthy events, and may lead to confusion in understanding the security implications of both concepts. Based on these investigations, we were able to circumvent the concept of trusted events, introduce three new UIR attack variants, and minimize their visibility.