Deception of the user using the gesture jacking method allows you to intercept a button click on a web page and redirect the request submitted through the browser to another site while the user presses the key.
The new attack vector is essentially a variant of clickjacking, also known as UI redirect. The Amazon expert who discovered it called his find cross window forgery (literally: inter-window forgery). After getting acquainted with the new threat, Eric Lawrence from Microsoft decided that gesture jacking (gesture interception) would be more accurate.
The author of the attack only needs to convince the user to press and hold the enter or space key when visiting a site with a malicious script. This gesture will be interpreted as permission for the pop-up window and will activate the button on the landing page.
If the result is a login or money transfer, the consequences for the victim may be irreversible. And the browser-based pop-up window blocker will not save you in this case: it only nails windows that open spontaneously.
You can get the user to make the desired gesture by using the built-in interactive element, which displays, for example, the following message:"Press and hold enter to continue."
Such attacks are possible due to the fact that browsers automatically scroll to the first element with the same ID value when processing a URL with a fragment (the ID after the " # " sign) and set the focus. As a result, keyboard input is directed to this element.
"The gesture-jacking attack is more reliable [compared to clickjacking], since it does not need to carefully position windows, calculate click time, and take into account the user's display settings," Lawrence noted in his blog.
Clickjacking can be used to cheat clicks in the referral program, distribute malware, and steal credentials. Collecting likes in social networks using this method even received a separate name-likejacking.
Browser developers are trying to combat this persistent problem. Google, for example, recently introduced the option to force loading pages without focusing on the fragments specified in the URL. Mozilla is discussing this possibility, but so far they are making do with patches (CVE-2023-34414, CVE-2023-6206), although this is hardly a vulnerability — rather a feature.
Web developers can also make their own contribution: do not add ID attributes to high-risk buttons or randomize the values every time the page loads. You can also provide a redirect-like mechanism for such pages, so that fragments in the URL are reset.
Prohibiting the display of pages in frames via the Content Security Policy settings helps a lot. Using the frame-ancestors option will allow you to control the list of direct parent URLs by DOM that are allowed to use containers/
Alternatively, you can organize special checks (the window size when loading content, the duration of submitting a request via keyboard input) and activate interface elements on pages only when there is a signal that there is no threat.
The new attack vector is essentially a variant of clickjacking, also known as UI redirect. The Amazon expert who discovered it called his find cross window forgery (literally: inter-window forgery). After getting acquainted with the new threat, Eric Lawrence from Microsoft decided that gesture jacking (gesture interception) would be more accurate.
The author of the attack only needs to convince the user to press and hold the enter or space key when visiting a site with a malicious script. This gesture will be interpreted as permission for the pop-up window and will activate the button on the landing page.
If the result is a login or money transfer, the consequences for the victim may be irreversible. And the browser-based pop-up window blocker will not save you in this case: it only nails windows that open spontaneously.
You can get the user to make the desired gesture by using the built-in interactive element, which displays, for example, the following message:"Press and hold enter to continue."
Such attacks are possible due to the fact that browsers automatically scroll to the first element with the same ID value when processing a URL with a fragment (the ID after the " # " sign) and set the focus. As a result, keyboard input is directed to this element.
"The gesture-jacking attack is more reliable [compared to clickjacking], since it does not need to carefully position windows, calculate click time, and take into account the user's display settings," Lawrence noted in his blog.
Clickjacking can be used to cheat clicks in the referral program, distribute malware, and steal credentials. Collecting likes in social networks using this method even received a separate name-likejacking.
Browser developers are trying to combat this persistent problem. Google, for example, recently introduced the option to force loading pages without focusing on the fragments specified in the URL. Mozilla is discussing this possibility, but so far they are making do with patches (CVE-2023-34414, CVE-2023-6206), although this is hardly a vulnerability — rather a feature.
Web developers can also make their own contribution: do not add ID attributes to high-risk buttons or randomize the values every time the page loads. You can also provide a redirect-like mechanism for such pages, so that fragments in the URL are reset.
Prohibiting the display of pages in frames via the Content Security Policy settings helps a lot. Using the frame-ancestors option will allow you to control the list of direct parent URLs by DOM that are allowed to use containers/
Alternatively, you can organize special checks (the window size when loading content, the duration of submitting a request via keyboard input) and activate interface elements on pages only when there is a signal that there is no threat.
