Hackers of India

Clickjacking revisited: A perceptual view of UI security

By  Devdatta Akhawe  on 31 Jul 2013 @ Blackhat

Presentation Material

Abstract

We revisit UI security attacks (such as clickjacking) from a perceptual perspective and argue that limitations of human perception make UI security difficult to achieve. We develop five novel attacks that go beyond current UI security defenses. Our attacks are powerful with a 100% success rate in one case. However, they only scratch the surface of possible perceptual attacks on UI security. We discuss possible defenses against our perceptual attacks and find that possible defenses either have an unacceptable usability cost or do not provide a comprehensive defense. Finally, we posit that a number of attacks are possible with a more comprehensive study of human perception.

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker, this presentation discusses the limitations of current secure UI design and how it can be improved by taking into account human perception and its limitations. They demonstrate various attacks on user interfaces that exploit these limitations, such as adapting to motor adaptation, visual cues, timing, and peripheral vision. The speaker argues that a combined attack could achieve a 100% success rate.

The current UI security specification is not sufficient, and the speaker suggests that it may need to be revised or supplemented with additional measures. They propose considering human perception in secure user interface design, as humans are not algorithmic and can be tricked into performing unintended actions.

In response to a question about applying these concepts to e-commerce, the speaker agrees that it would be possible to create more sophisticated attacks in this context, but notes that e-commerce companies often have additional fraud detection mechanisms in place. Finally, they mention that machine vision or computer vision could potentially be used as a defense mechanism, but it’s a challenging problem and requires further exploration.

The overall message is that secure UI design needs to take into account the complexities of human perception and its limitations to create more effective security measures.