How Hackers Use Clickjacking to De-Anonymize VK Users

By Ava McKinneyOnline Safety

Intercepting VK: How Hackers Use Clickjacking for De-Anonymization

In this article, I’ll explain how a malicious actor can use a social phishing technique called clickjacking to de-anonymize a user. As an example, we’ll look at an attack on a VK account and see exactly how a hacker can discover a user’s identifier. This is a very dangerous type of attack that is hard to prevent, and anyone can fall victim to it.

What Is Clickjacking?

Clickjacking is a deception technique that involves placing invisible elements on a website that users can interact with without realizing it. For example, a button is created and an invisible layer is placed over another visible one. The victim might want to watch a movie on a site, clicks “Play,” and at the same time unknowingly gives “consent to process personal data.” These invisible elements can only be found by looking at the site’s code.

There’s also “cursorjacking,” which is the subtle movement of the mouse cursor to perform certain actions on a page. An element can move along with the cursor as well.

Next, I’ll show how an attacker can add a VKontakte widget to a page, make it invisible, and trick an unsuspecting user into interacting with it.

Website Design

Here, the attacker can get creative. Social phishing is nothing without social engineering, so they’ll need a scheme to mislead the user, and then tailor the site’s content to fit that scheme.

For example, let’s use a blank template:

<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <title>...</title>
  <link rel="stylesheet" type="text/css" href="style.css">
  <script src="script.js"></script>
</head>
<body>
</body>
</html>

VK Authorization

Now, the site adds the ability to log in via VK. There’s an official API for this, with detailed instructions.

In short, you just need to add this script to the head section:

<script src="https://vk.com/js/api/openapi.js?169" type="text/javascript"></script>

And this to the body:

<div id="vk_auth"></div>
<script type="text/javascript">
window.onload = function () {
  VK.init({apiId:1111111});
  VK.Widgets.Auth('vk_auth', {});
}
</script>

The apiId parameter should be set to the value found in the documentation, in the “Widget code for embedding on the site” section.

Now, a button like this should appear on the site:

The attacker has many options for how to collect data about authorized visitors. On the server side, this could be a database or just a text file.

According to the documentation, after authorization, the VK.Widgets.Auth method returns user data as GET parameters in the URL when using authUrl, or as function parameters when using onAuth. The following fields are returned:

  • uid (integer) — user identifier
  • first_name (string) — first name
  • last_name (string) — last name
  • photo (string) — profile photo URL (200 px wide)
  • photo_rec (string) — profile photo URL (50 px wide)
  • hash (string) — a service parameter needed to verify authorization on the remote side

To verify authorization, you can use the received hash parameter by comparing it to the value of the MD5 function of app_id + user_id + secret_key. For example:

md5(667481942537fTanpCrNSeuGPbA4ENCo)

There are many guides on how to set up this widget, so let’s move on.

Adjusting Visibility

A regular web developer would stop here, but the attacker needs to make the authorization button invisible and place an attractive image or another button over it, so the user goes through authorization without noticing. For example, they might put another button on top.

If you open “Inspect Element” in any browser and hover over the VK login button, then right-click, you’ll find a paragraph like this (part of the text is blurred in the screenshot, which won’t be present at this stage):

Now, in the CSS window, you can add opacity: 0.0;. The button becomes invisible.

You can copy the paragraph code with opacity: 0.0; and get the code for a hidden button. In this form, the attacker adds the button to their site instead of the previous code.

Conclusion

The result is an invisible button, and clicking it performs the action. By the way, if you simply hide the element with the hidden attribute, nothing will happen, because the button will not only disappear visually but also won’t receive events like mouse clicks.

In my opinion, this is an extremely effective way to de-anonymize users: all you have to do is direct them to a page, and you can get their VK identifier and some other data. This scheme works almost invisibly for the average user.

It’s extremely difficult to protect yourself from this method. At best, you could look for the word “opacity” in the source code of a suspicious site, but hardly anyone will do this on every page they visit.

Source

Onion Market — a free P2P exchange on Telegram. We have XMR, BTC, USDT.TRC20.

Leave a Reply