CAPEC-506

Tapjacking
Baixa
Baixa
Draft
2014-06-23
00h00 +00:00
2020-07-30
00h00 +00:00
CAPEC Mitre.org
Alerta para um CAPEC
Fique informado sobre quaisquer alterações para um CAPEC específico.
Gerenciar notificações

Descrições CAPEC

An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.

Informações CAPEC

Pré-requisitos

This pattern of attack requires the ability to execute a malicious application on the user's device. This malicious application is used to present the interface to the user and make the attack possible.

Fraquezas Relacionadas

CWE-ID Nome da Fraqueza

CWE-1021

 Improper Restriction of Rendered UI Layers or Frames
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

Referências

REF-436

UI Redressing Attacks on Android Devices
Marcus Niemietz, Jorg Schwenk.
https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf

REF-437

Look-10-007 - Tapjacking
David Richardson.
https://blog.lookout.com/look-10-007-tapjacking/

Submissão

Nome Organização Data Data de lançamento
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modificações

Nome Organização Data Comentário
CAPEC Content Team The MITRE Corporation 2017-05-01 +00:00 Updated Description Summary
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Related_Weaknesses
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated Description Summary
CAPEC Content Team The MITRE Corporation 2019-09-30 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Description
As informações apresentadas no CVE Find originam-se de várias fontes de referência cuidadosamente selecionadas. Os dados CVE são fornecidos pela MITRE Corporation e pelo National Vulnerability Database (NVD). O catálogo de Vulnerabilidades Conhecidas Exploradas (KEV) é proveniente da Cybersecurity and Infrastructure Security Agency (CISA), enquanto as pontuações EPSS vêm do FIRST.org. Além disso, os dados sobre fraquezas de software (CWE) e padrões de ataque comuns (CAPEC) são mantidos pela MITRE Corporation, e as informações sobre configurações de hardware e software (CPE) são fornecidas pelo NVD.