What is clickjacking: A simple explanation
Imagine you’re on a website that’s offering you a free trip to your dream holiday destination. All you need to do is fill in your details and click ‘Book now.’ You do. However, instead of a trip of a lifetime, you see that a lump sum of money has been charged from your bank account. You’ve just become the victim of clickjacking.
What is clickjacking?
Clickjacking, also known as a UI redress attack, is a common hacking technique in which an attacker creates an invisible page or an HTML element that overlays the legitimate page. It’s meant to trick you into clicking on a particular button or an element on that page. In clickjacking, you may think that you’re clicking on a legitimate button, but you’re actually clicking on a transparent overlay. This transparent element might:
- Secretly download malware on your device;
- Direct you to a malicious website;
- Harvest your login credentials;
- Spread worms on social media;
- Pay for something you didn’t intend to buy;
- Activate your webcam and/or microphone.
Clickjacking variations
Clickjacking attacks also have a few variations:
- Likejacking – a technique used to manipulate the Facebook Like button. When it’s clickjacked, you “Like” pages you didn’t intend to.
- Cursorjacking – a technique used to manipulate your cursor. It changes its position from where you perceive it to be somewhere else. This technique is mostly used to exploit vulnerabilities found in Adobe Flash and Firefox. However, these have now been fixed.
- Browserless – a technique that, as the name suggests, doesn’t require a browser. This method is usually used on mobile devices to hijack toast notifications.
- Cookie jacking – in this attack, a hacker steals your browser cookies. Usually, victims are prompted to move a harmless object but in reality copy the entire content of their cookie and give it to the hacker.
- File jacking – a technique in which a hacker tricks you into establishing an active file server connection on your web browser so they could access files on your device.
A classic clickjacking example
The attacker creates an attractive page that offers a free trip to the Maldives and makes it as enticing as possible. While you are on that page, the hacker checks whether you are also logged into your bank account. If so, an invisible iframe loads on top of the booking page. You cannot see it because it’s transparent, but it’s a bank transfer form.
Your payment details are then automatically inserted into the form by your browser. Because you really want to get that free trip, you click on what you think is the ‘Book my trip’ button, which is actually the payment confirmation button. The money is then wired to the hacker without your knowledge. Now you may or may not be sent to a new page, or you may receive an email “confirming” your booking. However, it’s more likely you’ll be making a trip to your bank rather than the Maldives.
Clickjacking prevention
1. Server-side
Clickjacking doesn’t affect the website itself, but if you do own one, a hacker could use your content, create a lookalike website with a similar URL and use it in a clickjacking attack. Because clickjacking attacks are based on wrapping a page in an iframe and then adding invisible elements on top of it, you need to make sure that framing is disabled to protect your site. You can do so via:
- The X-Frame Options HTTP header can be used to determine whether the browser should allow the page to be wrapped in frame, iframe or object tags. There are three values you can choose from:
- DENY – doesn’t let browsers display your page in a frame;
- SAMEORIGIN – lets browsers display your page in a frame on another page but only if it’s from the current domain;
- ALLOW-FROM *uri* – the page can be displayed in a frame, but only one from specified origins.
- The Content Security Policy HTTP header offers a broader range of security than X-Frame Options. It lets you allowlist domains that are allowed to embed pages and domains from which resources such as scripts and fonts can be loaded.
- Frame killing is a technique that is mostly used for old browsers. All you need to do is to insert frame killing Javascript into pages that you don’t want to be included in foreign iframes. Most web pages don’t need to be embedded. Therefore, frame killing is easy to set up, and it provides a high level of protection against clickjacking.
2. Client-side
Clickjacking can be worrisome for users, but you can defend yourself by installing browser extensions. Some will prevent you from clicking on invisible or “redressed” page elements. You can try NoScript’s ClearClick for Mozilla Firefox or NoClickjack if you use Chrome, Mozilla, Opera or Microsoft Edge. The latter extension will provide you protection without interfering with legitimate iFrames. Both extensions are free to use.
Want to read more like this?
Get the latest news and tips from NordVPN