User Interface is Security

31 December 2011

As security exploits traverse up the OSI model to the application layer exploits that manipulate user interface are becoming more common. The root of this problem is that layer 8 (or the human operator) is the ultimate security vulnerability. Programmers develop systems that can do amazing things, but they often fail to consider the "average user" when putting together their user interface (UI). This leads to a situation where users commonly misunderstand, or fail to understand, a particular piece of program functionality. Attackers exploit this confusion by crafting messages that appear trusted but in fact mislead users. For instance, there is a recent Facebook "security" message making the rounds as users copy and paste it from their friends' status update to their own. It reads:

"With the new 'FB timeline' on its way this week for EVERYONE...please do both of us a favor: Hover over my name above. In a few seconds you'll see a box that says "Subscribed." Hover over that, then go to "Comments and Likes" and unclick it. That will stop my posts and yours to me from showing up on the side bar(ticker) for everyone to see, but MOST IMPORTANTLY it LIMITS HACKERS from invading our profiles. If you re-post this I will do the same for you. You'll know I've acknowledged you because if you tell me that you've done it I'll 'like' it. Thanks"

The message seems legitimate. It references new features in Facebook along with scary "HACKER" threats. Users following the instructions effectively unsubscribe from all comments and "like" notifications from the target user (just one step short of unfriending them). However, to the end user the term "subscribe" means very little in this context. It is a fairly benign word that most people probably associate most with news paper deliver (which is becoming increasingly outmoded). Of course, "subscribe" means a lot to anyone who has ever designed a message queue (a classic computer science construct) and I'm sure the Facebook programmers meant this. The dichotomy between how a programmer understands the word and how the end user understands it leads to this confusion. Furthermore, the post adds confusion to the notion of how much of the user interface is "exposed" to the outside world. Facebook's privacy model is fairly opaque and this scam exploits the confusion. Users are instructed to hide posts from their own user interface in the misguided attempt to hide the post from other people.

This Facebook scam message is a prime example of how an obtuse interface can lead to exploitation. The underlying vulnerability in this exploit is not technical in any way. The exploit is of human perception rather than of machine reference pointer or applications confusing boundaries in homoiconic data. The mitigation for this problem is both simple and difficult. Updating user interface to ease confusion is a double edged sword. Every change in a familiar UI will breed new confusion, even if the change is designed to simplify the UI. Even adjusting language in display, such as changing the word "subscribe" to "show me" is bound to cause confusion. Sadly, designing UI for security has to start at the inception of a project and like all security show poor effectiveness when "bolted on" after a product launches.

Exploits of perception are as old as the "I Love You" worm, which relied on users seeing a quaint message from someone with an established trust relationships (victims had the virus forwarded to everyone in their e-mail address book). The virus required explicit user interaction, but the user interface lead the user to believe that the interaction was legitimate. Koobface worm is a similar example, whereby Facebook users were tricked into pasting a snippit of malicious code into their own profile. There are numerous scams claiming to allow users to see who is searching for them by pasting malicious code into their status or profile. All of these attacks exploit poor human computer interaction (HCI) and highlight the increasing need for security in user interface. Sadly the problem will only get worse as applications become increasingly complex and struggle to fit into diverse presentations (such as mobile, tablet, and desktop displays).