Meet clickjacking's slicker cousin, 'gesture jacking,' aka 'cross window forgery'

Web browsers still struggle to prevent clickjacking, an attack technique first noted in 2008 that repurposes web page interface elements to deceive visitors.

Despite continuing efforts to mitigate the risk through bug fixes and browser behavior changes, intrusive attack variations continue to emerge, leaving web developers to provide defenses where browsers fail to erect barriers.

Clickjacking, also known as a user-interface redress attack, involves manipulating web page structure or interactive elements to make users’ clicks register somewhere other than intended, such as on a hidden iframe containing an ad served from a domain unrelated to the host site. Google dealt with this particular scenario several years ago in an effort to mitigate ad fraud, but it's a constantly evolving situation.

The latest variation of the technique has been dubbed "cross window forgery," by Paulos Yibelo, a security analyst at Amazon. In a personal report in February, he explained that the technique relies on convincing the victim to press or hold down the Enter key or Space bar on an attacker-controlled website.

This might take the form of a website that contains an interactive element that asks the user, "Press and hold Enter to continue." Using code that intercepts the keydown event and runs an attack function, the attacker can open a malicious OAuth authorization prompt URL in a new, tiny browser window to receive the still active key press.

"While testing this around in the wild on websites like Coinbase and Yahoo, I found that this can lead to an account takeover if a victim that is logged into either site goes to an attacker website and holds the Enter/Space key," explained Yibelo.

"This is possible because both sites allow a potential attacker to create an OAuth application with wide scope to access their API, and they both set a static and / or predictable 'ID' value to the 'Allow/Authorize' button that is used to authorize the application into the victim's account."

Last week, Eric Lawrence, a veteran browser developer and general program manager with Microsoft Defender, cited Yibelo's post in a further exploration of the attack. He prefers the term "gesture jacking" over "cross window forgery."

Whatever you call it, Lawrence last week wrote that the technique is "more reliable [than clickjacking], as it does not rely upon the careful positioning of windows, timing of clicks, and the vagaries of a user’s display settings. Instead, the attacker entices the user to hold down a key, spawns a victim web page, and the keydown is transferred to the victim page."

The reason the attack works, Lawrence explained, is down to the way browsers handle the fragment of a URL, which is the portion of the URL that occurs after the hash or pound sign (#). Not all URLs contain fragments, but when loading those that do, the browser will typically scroll to the first page element that contains an ID tag matching the fragment value and set the page focus to that element.

"As a result, keyboard input will be directed to that element," Lawrence wrote. So by getting a user to hold down a button, that key press can be redirected to a specific button on another webpage to authorize whatever action is associated with that interface element.

Browser makers have implemented numerous changes over the years in an effort to reduce the risk of clickjacking and associated attacks, but it's an ongoing effort. Last year, for example, Mozilla repaired clickjacking bugs in Firefox 114, Thunderbird 115.4.1, and in Firefox 120.

But as Yibelo pointed out, not all abusable behavior is considered a vulnerability. Cross window forgery, he says, "is an intended behavior of browsers, and browser vendors are aware of it. Currently I am not aware of any plans to change it as it is not considered a browser bug."

Lawrence urged web developers to adopt defensive measures cited by Yibelo, such as not giving sensitive buttons an ID tag that an attacker can use for targeting, or randomizing the ID tag value so it can't easily be incorporated into an attack script. Another option is redirecting incoming requests to drop URL fragments, which breaks the ability to scroll to a particular portion of the webpage.

He also notes that Chromium-based browsers have access to a force-load-at-top document policy, which can be enabled by opting out of the Scroll-to-Text-Fragment feature. And Firefox, he says, is considering whether to support this feature.

Beyond that, Lawrence urged web devs to adopt other best practices, like using the frame-ancestors Content Security Policy to prevent webpage framing, and disabling sensitive webpage interface elements until windows have been properly sized and the user has released any held keys. ®