Clickjacking

Clickjacking techniques involve convincing the user to click on something that they did not intend to click. This approach is often used to spread malware or gain unauthorized control of devices. This section explains the history of clickjacking, its many evolutions throughout the history of the web, and best practices for preventing clickjacking attacks.Clickjacking attacks have been around for over a decade, but they are still being used across the world to install malware and collect personal identifiable information. Also known as a User Interface Redress Attack or UI Redress for short, clickjacking involves fooling the user into clicking on something different than intended. This is typically done to cause an unwanted download or escalate the privileges of malicious software. This section will explore the origins of clickjacking, the several variations of the technique, and how a user or organizations can protect themselves from clickjacking attacks.Clickjacking begins with a 2002 exploit that involves placing an invisible frame over a legitimate and frequently-used website. The frame is programmed with JavaScript to record all user inputs on the web page, and all credentials entered into forms are recorded. Site owners began installing scripts that prevented other sites from encapsulating them, but the script had to be installed on each individual page of the site. Eventually, hackers developed a technique that allowed them to set up smaller invisible frames within the site. For example, the attacker could hide invisible buttons and input fields on top of flash games or legitimate download buttons.As time went on and the internet developed, new clickjacking techniques emerged to convince users to click on unwanted inputs. Cursorjacking relies on slightly changing the position of the cursor from what the target can perceive. This can be done via HTML and Javascript, or even the since-outdated Flash. Likejacking convinces the user to click an embedded Facebook “like” button that is connected to a page separate than what appears. Methods have evolved for clickjacking that do not rely on web browsers. For example, a clickjacking exploit was discovered for Android devices by placing a false system notification under a legitimate one.How can clickjacking be prevented? This is a difficult question, as clickjacking attacks are often invisible and very difficult to detect. Most clickjacking attempts can be blocked directly by the site administrator. Aside from the script mentioned earlier, Internet Explorer developed measures in 2009 that partially protected against clickjacking attacks. As a user, preventing clickjacking attacks is a matter of prescience and awareness. Ensuring the web page matches the URL, being aware of invisible “clickable” sections of web page, and being aware of false web buttons are all ways that a user can prevent clickjacking attacks. Web browser extensions and add-ons like NoScript have features that specifically prevent users from clicking on invisible sections of a website.In summary, clickjacking is a web-based hacking technique that has seen much use and evolved into many different forms. In each iteration, the basic idea is the same: Convince the user to click on something that they did not intend to click on. Clickjacking has involved into cursorjacking, likejacking, browserless clickjacking, and many other adapted forms. Each form of the attack serves a separate purpose, with the ultimate purpose to convince the user to unknowingly carry out unauthorized actions. Prevention of clickjacking attacks falls on site administrators and individual users. Site owners can install scripts that prevent clickjacking attacks, and users can install anti-clickjacking add-ons for their browser and employ safe web practices.