Framing attacks on smart phones and dumb routers: tap-jacking and geo-localization attacks
Authors: G. Rydstedt, B. Gourdin, E. Bursztein, and D. Boneh
Abstract:
While many popular web sites on the Internet use frame busting to
defend against clickjacking, very few mobile sites use frame busting.
Similarly, few embedded web sites such as those used on home routers
use frame busting. In this paper we show that framing attacks on
mobile sites and home routers can have devastating effects. We
develop a new attack called tap-jacking that uses features of mobile
browsers to implement a strong clickjacking attack on phones.
Tap-jacking on a phone is more powerful than traditional clickjacking
attacks on desktop browsers. For home routers we show that framing
attacks can result in theft of the wifi WPA secret key and a precise
geo-localization of the wifi network. Finally, we show that
overlay-based frame busting, such as used by Facebook, can leak
private user information.
Reference:
In proceedings of the Usenix Worshop on Offensive Technology (wOOt 2010).
[BIBTEX]
Full paper: pdf
Related papers: Please see our papers on framebusting.