CAPEC-506 Detail

CAPEC-506

Name

Tapjacking

Likihood attacks

Low

Typical Severity

Low

Status

Draft

Published

2014-06-23
00h00 +00:00

Modified

2020-07-30
00h00 +00:00

Official links

CAPEC Mitre.org

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Notifications manage

List of Notifications

Alerte pour un CAPEC

Stay informed of any changes for a specific CAPEC.

Parameters

You can specify a title that will be retrieved in the alerts that will be sent out.

Specify the CAPEC ID you wish to monitor.

Planning

Month

Next run calculation

Day

Weekday

Hour

Minute

Creation date

Last execution

Next execution

Functionality requiring a connection

This feature, which allows you to receive alerts, is only active when you are logged into your account.

Descriptions CAPEC

An adversary, through a previously installed malicious application, displays an interface that misleads the user and convinces them to tap on an attacker desired location on the screen. This is often accomplished by overlaying one screen on top of another while giving the appearance of a single interface. There are two main techniques used to accomplish this. The first is to leverage transparent properties that allow taps on the screen to pass through the visible application to an application running in the background. The second is to strategically place a small object (e.g., a button or text field) on top of the visible screen and make it appear to be a part of the underlying application. In both cases, the user is convinced to tap on the screen but does not realize the application that they are interacting with.

Informations CAPEC

Prerequisites

This pattern of attack requires the ability to execute a malicious application on the user's device. This malicious application is used to present the interface to the user and make the attack possible.

Related Weaknesses

CWE-ID	Weakness Name
CWE-1021	Improper Restriction of Rendered UI Layers or Frames The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

References

REF-436

UI Redressing Attacks on Android Devices
Marcus Niemietz, Jorg Schwenk.
https://media.blackhat.com/ad-12/Niemietz/bh-ad-12-androidmarcus_niemietz-WP.pdf

REF-437

Look-10-007 - Tapjacking
David Richardson.
https://blog.lookout.com/look-10-007-tapjacking/

Submission

Name	Organization	Date	Date release
CAPEC Content Team	The MITRE Corporation	2014-06-23 +00:00

Modifications

Name	Organization	Date	Comment
CAPEC Content Team	The MITRE Corporation	2017-05-01 +00:00	Updated Description Summary
CAPEC Content Team	The MITRE Corporation	2017-08-04 +00:00	Updated Related_Weaknesses
CAPEC Content Team	The MITRE Corporation	2018-07-31 +00:00	Updated Description Summary
CAPEC Content Team	The MITRE Corporation	2019-09-30 +00:00	Updated Related_Attack_Patterns
CAPEC Content Team	The MITRE Corporation	2020-07-30 +00:00	Updated Description