These so called UI Redressing attacks, that take place when the website is loaded within an iframe, are widely discussed in the web security world. We've already discussed the Clickjacking attack and its countermeasures extensively on our HTTP Security Headers Whitepaper.
In this article, we examine research that creatively abuses a Clickjacking attack. Security researcher Raushan Raj found a new attack vector we're calling 'Sound Hijacking in Google Docs'. He realised that the lack of an X-Frame-Options header on docs.google.com could open the door for hackers to take over users’ audio input devices.
The Methodology of the Sound Hijacking AttackGoogle enabled Chrome users to use their voice to 'write' into documents and sheets (Tools>Voice Typing).
In his proof of concept, Raj first created an empty Google Docs file and configured the Share settings to 'On - Public on the web'. He then loaded the document in an iframe on his website:
When visitors landed on Raj’s website, the document acted as a spying tool and began transcripting all the incoming voice from the user’s device into Raj's Docs file!
<iframe src=“https://docs.google.com/document/d/XXXXXXX/edit” allow=“microphone *”></iframe>
Feature Policy MechanismIt's important to note that the allow attribute on the iframe command plays a crucial role in this scenario. This Feature Policy mechanism enables developers to control the browser features that receive user data, using commands specific to each website:
- Location information
- Microphone and camera use
- Multimedia controls
- Gyroscope sensors etc
- And, more
The Importance of X-Frame-Options Header in Preventing Clickjacking AttacksAs illustrated, the lack of X-Frame-Options (XFO) header is used to exploit unique attack vectors.
Here are a few notes on the X-Frame-Options header:
- It should be present in the HTTP response of every page
- The frame-ancestors directive of the Content Security Policy (CSP) header can be used instead of X-Frame-Options
Content-Security-Policy: frame-ancestors 'none'; // Doesn’t load any URLs within an iframe.
The advantage of CSP over XFO is that while you can whitelist only one URL with XFO, you can whitelist multiple domains using CSP frame-ancestors. We recommend that you set one of these headers depending on the functions of your website.
Content-Security-Policy: frame-ancestors 'self'; // Has the same use as the SAMEORIGIN parameter.
Which Browsers Support the X-Frame-Options HTTP Header?Like many security features, the X-Frame-Options header was not always available in browsers. Instead, the need for such a header became apparent much later. Not all browsers supported it in their first versions. Thankfully, however, almost all modern browsers support X-Frame-Options, either fully or partially.
This image is free to use and is supplied by Caniuse, under the CC BY 4.0 license.