Clickjacking is a relatively new term in the web hacking area. Although, the original paper by Robert Hansen and Jeremiah Grossman was published in September of 2008, clickjacking has become fairly “normal” and common. It’s a visual trick that gets users to click on something they weren’t intending to click on – like that “buy now” link or the “follow me” link that the marketer wants you to click on. Granted, it has limited use in the purchasing area, since most online stores require you to give them your credit card number before you can buy anything. However, an attacker can use it to get more “impressions” and click-throughs and fraudulent ad money for example – or increase their popularity.

How does it work?

Hansen and Grossman use nice pretty pictures to explain the process, and I can’t really do any better, but I can give a summary. The basic idea is that an attacker uses an i-frame to place a transparent page (or button) on top of the page you really intend to view. When you click on a “button” on the page you can see, you are really clicking the button on the page the attacker has made “invisible” to you.

What can you do to prevent it?

Microsoft, Apple and Google Chrome pay attention to the X-FRAME-OPTIONS header, but that depends on the server and application author to set those headers. Frame-busting scripts that are common in many web pages can be used to ensure that your application is not displayed in a frame, and helps to ensure that the clickjacking is at least visible. NoScript for Firefox can prevent you from clicking on an invisible page. However, expect the attackers to get more and more crafty now that there are ways around the attack.

This entry was posted on Thursday, March 18th, 2010 at 6:00 am by Laura Raderman and is filed under Technology & Tool Thursday. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.