Friday, November 1, 2024
Homecyber securityGesture Jacking - New Attack That Deceives Website Visitors

Gesture Jacking – New Attack That Deceives Website Visitors

Published on

Malware protection

The Web Platform is incredibly powerful, but regrettably, malicious websites will do all in their capacity to misuse it.

To prevent such exploitation, blocking actions that weren’t accompanied by a “User Gesture” is one of the weakest (but easiest to implement) defenses.

Gestures are a weak primitive because, although it is easy to determine whether a user has clicked or pressed a key, they do not suit the design objective of clearly conveying a user request well.

- Advertisement - SIEM as a Service

A more certain method of deceiving users is gesture-jacking, which eliminates the need for accurate window position, precise click timing, and the random nature of the user’s display settings.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Rather, the attacker lures the user into holding a key, causes a victim webpage to appear, and then transfers the key down to the victim’s website.

Overview Of Gesture Jacking Attack

Security researcher Paulos Yibelo describes in detail a form of attack in which a user is tricked into holding down a key (such as Enter), and that action is interpreted as accepting a popup window and activating a button on the website of the intended victim. 

The victim’s security could be severely compromised if the button on that page executes a risky activity (such as “Grant access,” “Transfer money,” etc.).

Eric Lawrence, an expert browser developer and general program manager for Microsoft Defender, investigated the attack and referenced Yibelo’s post.

The author refers to the attack as a cross-window forgery; however, Eric Lawrence refers to it as a gesture-jacking attack because it most closely resembles the ClickJacking attack vector that gained attention in 2008. 

“Some folks expected that this attack shouldn’t be possible– “browsers have popup-blockers after all!” Unfortunately for their hopes and dreams, the popup blocker isn’t magical”, Eric Lawrence wrote in his blog.

“Holding the Enter key is a user-gesture, so the attacker’s page is allowed to spawn a popup window to a victim site”.

According to him, the foundation of this attack is dependent on a feature of the web-based platform. In particular, when you visit a URL that has a fragment in it:

The browser will automatically concentrate on the first element—if any—whose id matches the value of the fragment by scrolling to it.

Keyboard input will, therefore, be directed towards that element.

According to Yibelo, a website can prevent unintentional button clicks by either randomly assigning the id value on every page load or by removing the id attribute from critical buttons.

Alternatively, to remove an unexpected URL fragment, the page may “redirect” upon loading.

An additional option is provided for Chromium-based browsers: a document can specify that it does not wish to use the default button-focusing behavior.

A website can disable all forms of automatic scrolling (and focussing) from the fragment by adding the force-load-at-top document policy (added as an opt-out for the clean Scroll-to-Text-Fragment functionality).

The researcher noted that attackers have long exploited gesture-jacking to manipulate browser user interfaces, and hence, browser teams have had to release numerous upgrades to stop this abuse.

It is recommended to use frame-ancestors CSP to prevent framing, auto-focus/make default the safe option and disable sensitive UI elements.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to...

New Windows Downgrade Attack Let Hackers Downgrade Patched Systems To Exploits

The researcher discovered a vulnerability in the Windows Update process that allowed them to...