- slide 1 of 4
- slide 2 of 4
Clickjacking attacks can be executed in a number of interesting ways, so any one example will only touch the tip of what is possible with this type of attack. By way of an example, a clickjacker can take a login button from one site and hide it under a different element on an invisible page that when clicked could initiate malicious code. It is also possible for an attacker to trick a flash game player to click a seemingly innocent button that could grant site access to the computer's webcam and microphone.
- slide 3 of 4
There are in fact a number of security vulnerabilities that are exploited using clickjacking. They range from Adobe Flash vulnerabilities to ActiveX control options. This kind of attack can be difficult to police because the browser often sees the clickjacking attacks as authorized requests from the user, thus opening the way for all sorts of malicious actions to be executed through the victim's browser and other software such as Adobe Flash. While there are some steps that users can take to protect themselves, the most effective security measures will have to be done on the back-end, especially considering that the most effective solution will limit and impede a website’s functionality. Here are some ways to protect yourself against these attacks:
Update your Software – the clickjacking security threat has been addressed somewhat by software updates to popular Internet related software. You should upgrade your browsers, extensions and add-ons. If you haven’t done so as yet you should upgrade to the latest version of Adobe Flash. Adobe recommends customers Flash Version 10.0.12.36.
Block Scripts - If you use the Firefox browser you can install the NoScript add-on. NoScript is an add-on that can prevent scripts from loading. It also uses a technology called ClearClick that provides protection against frame-based attacks. In essence, ClearClick reveals disguised and embedded elements and prevents their execution. The problem with the NoScript solution is that it will disable certain kinds of content, including some ads and video, which is a feature that website owners will not want users to use to disable ads.
Move Elements Around – Since the attacker will need to know exactly where to locate the invisible screen of a legitimate element (i.e. button or link), it is possible to thwart an attacker by moving around website elements that may be highjacked. The disadvantage of using this method is that it may make it more difficult for users to use the page or may simply make the page less attractive.
Edit Your Flash Settings - There are certain permissions settings that give control over whether Flash applications will have access to the computer. Turning them off is a precautionary measure against clickjacking attacks. You can do so by changing the “Global Settings” in Flash. Go to the Adobe Flash Player Settings Manager for access to your global preferences - you can access it by right-clicking on any Flash movie and selecting "Global Settings." Set the “Global Privacy Settings” and “Global Security Settings” to "Always Deny".
Require an Additional Action – You can require your users to complete an additional action, such as entering a password or solving a CAPTCHA in addition to clicking a critical button. Admittedly, using such strategies will turn off users who do not like being asked to perform actions not necessary to the core functioning of the site. As a work-around, you can ask the user to complete the additional tasks only when a frame is detected.
- slide 4 of 4
- “Clickjacking details,” http://ha.ckers.org/blog/20081007/clickjacking-details/
- “Update Flash to protect against Clickjacking” http://www.internetnews.com/skerner/2008/10/update-flash-to-protect-agains.html
- “Does your browser prevent clickjacking?” http://www.internetnews.com/dev-%20news/article.php/3799231/Does+Your+Browser+Prevent+Clickjacking.htm
"Clickjacking Preventing," Florian