A while ago, I covered clickjacking, and now, we have “Strokejacking”. So what is strokejacking (other than a badly named attack that makes my inner middle schooler giggle)?

Strokejacking was first discussed on Full Disclosure, but it’s not called that there. It is extremely similar to clickjacking, in that a malicious site has a user doing things they don’t want to do. Except, this time, it’s with the keyboard instead of the mouse – hence the “stroke”. The attacking site gets the user to type (or cut and paste), the information they’re looking for. This could lead to another attack (if the user types javascript), or just gathering a username and password. The user thinks they are logging into a site, but they’re really sending characters over to the attacker’s site.

What can prevent this?

Basically the same things that prevent clickjacking. At the same time, be cautious about cutting and pasting random text (like to get rid of feeds on facebook), and check the SSL certificate being used is issued to your bank before typing in your username and password. These tips aren’t perfect, but they’ll help you avoid a good majority of strokejacking attempts.

Each Tuesday, Security Musings features a topic to help educate our readers about security. For more information about Gemini Security Solutions’ security education capabilities, contact us!

This entry was posted on Tuesday, April 20th, 2010 at 6:54 am by Laura Raderman and is filed under Tutorial Tuesday. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.