Meet clickjacking’s slicker cousin, ‘gesture jacking,’ aka ‘cross window forgery’


Web browsers still struggle to prevent clickjacking, an attack technique first noted in 2008 that repurposes web page interface elements to deceive visitors.

Despite continuing efforts to mitigate the risk through bug fixes and browser behavior changes, intrusive attack variations continue to emerge, leaving web developers to provide defenses where browsers fail to erect barriers.

Clickjacking, also known as a user-interface redress attack, involves manipulating web page structure or interactive elements to make users’ clicks register somewhere other than intended, such as on a hidden iframe containing an ad served from a domain unrelated to the host site. Google dealt with this particular scenario several years ago in an effort to mitigate ad fraud, but it’s a constantly evolving situation.

The latest variation of the technique has been dubbed “cross window forgery,” by Paulos Yibelo, a security analyst at Amazon. In a personal report in February, he explained that the technique relies on convincing the victim to press or hold down the Enter key or Space bar on an attacker-controlled website.

Read more…