How Does Clickjacking Work and What Does it Mean to be 'Clickjacked'?

Page content

The New Web-Based Security Threat

Clickjacking is the new, all-consuming and much talked about web security threat that plagues almost every web browser and of course, every internet user today. If you’re still confused by the term, I explained what clickjacking is in a previous article.

How Does Clickjacking Work?

When was the last time you browsed the Internet and got a little “click-happy?” That should have read like a joke simply because clicking is the essence of what we do online, isn’t it? Clickjacking has introduced a new threat to this essential activity. Images, links, website forms, guest-books, opt-in collectors, bank’s login pages, digg buttons, and advertising banners can now be used by hackers to compromise your computer. That should cover most of what we do online, shouldn’t it? Attackers now have a way to place invisible code behind web elements mentioned above and there is no way to detect if a page has been compromised.

Hence, it makes for one scary attack.

Apart from all the various ways in which a ‘Clickjacking” attack can be deployed, “attackers can bypass token-based CSRF (Cross-Site request Forgery) protections” according to Hansen and Grossman in an exclusive, in-depth Interview Securityfocus web magazine. Contrary to popular belief, javascript isn’t really the tool of this new threat, even though the exploits would relatively be easier using script.

Unfortunately deploying more GUI controls that protect against clickjacking might have the side effect of making web browsing less pleasurable. The threat isn’t going to abate soon enough and the average user has a lot to lose if she is victimized. Hence, if you are a website owner there are a few simple countermeasures you can take as precautions to keep your website safe and deliver a safe browsing experience for your users. Site owners should deploy anti-javascript, or javascript frame busting code, for instance. While this will not protect users from specific clickjacking threats, it can reduce the overall potential for exploitation. Users should log-out of websites (if they require a log-in) and use Mozilla’s Firefox and install the Noscript Plug-in for Firefox as well as disable all other plug-ins.

This post is part of the series: Clickjacking

This time, the attacks go Invisible. This series is all about clickjacking, ways and means to battle it and latest news on what’s happening.

  1. Clickjacking: The One Internet Security Threat That Eclipses Other Threats
  2. Clickjacking: The Threat That’s Hiding Out in the Open