Cyber attackers are continuously evolving their methods to bypass security measures and exploit user interfaces. One such method is clickjacking, a sneaky type of cyber attack where users are tricked into clicking on something they didn’t intend to.
Think you’re clicking a harmless button, but you’re authorizing a payment or sharing personal information. The consequences can be severe, ranging from unauthorized webcam activation and monetary transfers to data theft.
This article will explain what clickjacking is in simple terms, show you the different types, help you check if your website is at risk, and give you useful tips to protect yourself and your users. Whether you just browse the internet or manage a website, understanding clickjacking is important for staying safe online.
What is Clickjacking?
It also known as UI redressing, is an interface-based attack where a user is tricked into clicking on a hidden, actionable element on a webpage, often by clicking on a seemingly harmless element on a decoy webpage. This technique utilizes the incorporation of an invisible layer containing malicious links, typically using iframes. Here’s a simplified example:
Imagine a web user visiting a website that promises a prize if they click a button. Unbeknownst to the user, they are clicking a hidden button on an alternative, malicious page embedded within an iframe. This hidden button might trigger an unwanted action, such as transferring money from the user’s bank account.
Clickjacking differs from Cross-Site Request Forgery (CSRF) in that it requires user interaction, such as a button click, while CSRF exploits the user’s session without their knowledge.
History of Clickjacking
Clickjacking has been a known issue since 2002, when it was discovered that transparent layers could be used to overlay web pages, allowing user input to affect the hidden layer. However, it wasn’t until 2008 that the term “clickjacking” was coined by Jeremiah Grossman and Robert Hansen, who discovered a vulnerability in Adobe Flash Player that could be exploited via clickjacking.
Since then, the scope of clickjacking has expanded, encompassing various types of UI redressing attacks. As attackers discovered more methods to exploit this vulnerability, the term “UI redressing” was adopted to describe the broader category of such attacks.
How Does Clickjacking Work?
It takes advantage of HTML frames, or iframes, which allow web pages to display content from other sites within a frame. Think of an iframe as a window within a webpage that shows content from another source. For example, when you see a YouTube video embedded on a website, it’s inside an iframe. Here’s how It works:
1. Hidden Layers: Attackers create a hidden, transparent iframe over a legitimate web page. This hidden layer can contain buttons and scripts that the user cannot see.
2. Deceptive Appearance: The visible web page looks normal, so users have no reason to suspect anything is wrong. They click on what they think are regular links or buttons.
3. Malicious Actions: Instead of performing the action the user expects, the clicks are activating the attacker’s hidden script. This can lead to:
- Installing malware
- Stealing login credentials
- Activating webcams or microphones
- Making unauthorized purchases or money transfers
- Tracking user location
- Boosting clicks or ad revenues
- Manipulating social media interactions
4. Not Just Clicks: Clickjacking isn’t limited to mouse clicks. It can trick users into entering information, like passwords, on a fake site that looks like a real one.
Clickjacking attacks often use social engineering techniques to direct users to malicious sites, such as phishing emails, text messages, or fake social media posts.
Categories of Clickjacking
Clickjacking encompasses various techniques, each with unique methods and targets. Here are some common categories:
Classic Clickjacking
Classic clickjacking involves overlaying a hidden, clickable element on a legitimate web page. For example, a user might think they are clicking a “Play” button on a video, but they are clicking a hidden “Buy” button on an e-commerce site. Tools like BeEF or Metasploit can facilitate these attacks by automating exploitation.
Likejacking
Likejacking targets social media platforms, tricking users into “liking” a Facebook page or other social media content. This is achieved by overlaying hidden “Like” buttons on unrelated web pages. The term was first used by Corey Ballou in an article about the potential misuse of Facebook’s “like” button.
Nested Clickjacking
It involves embedding a malicious frame between two legitimate frames on a web page. This technique exploits vulnerabilities in the HTTP header X-Frame-Options, which checks only the top and bottom frames, allowing attackers to insert additional frames undetected.
Cursorjacking
Cursorjacking manipulates the appearance and location of the cursor, making users believe they are clicking on one element while they are clicking on another. This technique was demonstrated using custom cursor icons and hidden cursors and has been used to exploit vulnerabilities in browsers like Firefox on macOS.
MouseJacking
MouseJacking is a hardware-based attack that exploits vulnerabilities in wireless dongles, allowing attackers to inject keyboard input remotely. This technique, reported by Marc Newlin of Bastille.net, can lead to unauthorized actions on the affected device.
Browserless Clickjacking
Browserless clickjacking targets applications and devices without using a web browser. This method is prevalent on mobile devices, particularly Android, where attackers exploit delays in toast notifications to create clickable dummy buttons.
CookieJacking
CookieJacking involves stealing cookies from a user’s web browser. Attackers trick users into selecting and copying cookies, which can then be used to hijack sessions and steal sensitive data.
FileJacking
FileJacking exploits the file and folder selection capabilities of web browsers to access and steal files from a user’s computer. By tricking users into opening a file selection window, attackers can gain unauthorized access to personal data.
Password Manager Attack
This attack targets vulnerabilities in password managers, exploiting autofill capabilities to steal stored credentials. Researchers at Carnegie Mellon University found that some password managers insecurely filled in passwords, exposing users to iframe and redirection-based attacks.
How to Detect Clickjacking
To find out if a website is vulnerable to clickjacking, you can use a few simple methods:
- Testing with HTML Code: Create a specific HTML page that tries to embed a sensitive page from your site using an iframe. There is a sample HTML code for this test.
- Check Domain Differences: Clickjacking protection often relies on the difference between the domains of the malicious page and the legitimate page. Make sure to run your test on a different domain from the one you’re testing (e.g., if your site is on example.com, run the test on dummy.com).
- Run the Test: After running the HTML code, check if the page can be embedded in an iframe. If it can, your site might be vulnerable to clickjacking.
- Review Protections: Determine if existing protections on your site can be bypassed by a clickjacking attack and adjust them as needed.
By regularly testing your site and understanding how clickjacking works, you can better protect against these types of attacks.
Clickjacking Prevention Techniques
It is a sneaky attack where you’re tricked into clicking on something different from what you think. Here are some practical steps to help you reduce the risk:
1. Be Wary of Urgent Emails
One common way clickjacking software gets onto devices is through targeted emails. Cybercriminals often steal contact details and use them to send emails that look urgent, often claiming to be from your bank or another trusted source.
Watch out for emails in your inbox that claim to address an urgent matter needing your attention. These emails may ask you to click a link, which could take you to a fake website that looks identical to your bank’s or another official website. This fake site may prompt you to download an app or fill out profile information. Always verify the email’s legitimacy before clicking on any links or downloading attachments.
2. Avoid Downloading Suspicious Apps
It often aims to trick you into downloading an app that is malware. This malware can capture and steal your credentials or sneak onto your device through the website itself.
Be cautious and avoid downloading any software you are not convinced about. Only download apps from authorized app stores like Google Play or the Apple App Store, where both software agents and humans work to weed out malware and inappropriate content. Refrain from downloading programs from untrusted websites or sources.
3. Be Cautious with Too-Good-to-Be-True Ads
Ads on search engines or social media that offer something too good to be true are often part of clickjacking schemes. Clicking on these ads could lead you to a website that downloads malware onto your device.
Instead of clicking on suspicious ads, look for the news or offers on reputable, long-standing news sources or official websites. If the news is real, it will be reported by valid outlets.
4. Install Anti-Clickjacking Browser Extensions
There are browser add-ons available that can protect you from clickjacking by blocking all JavaScript on loaded pages. However, this can sometimes interfere with your browsing experience, as many popular platforms like Facebook, Twitter, and YouTube use JavaScript.
To use these add-ons effectively, you need to set an allowlist to enable JavaScript on trusted sites. Some of the popular JavaScript-blocking add-ons include Scriptsafe for Chrome, NoScript for Mozilla Firefox, and JS Blocker for Safari.
5. Use a Strong Antivirus Program
To protect against cybercrimes, including clickjacking, it’s strongly recommended to use a comprehensive antivirus program. A quality antivirus should work continuously to secure your devices and data, blocking threats like viruses, malware, ransomware, and spyware.
By having an up-to-date antivirus program running, you add an extra layer of defence against clickjacking and other online threats.
General Tips
It’s important to stay vigilant against clickjacking attacks. Nowadays, the majority of browsers come with built-in security against clickjacking, which either blocks rogue websites or alerts users to possible threats.
By practising good cyber hygiene, such as avoiding online service providers that offer free or pirated services and keeping your software updated, you can reduce your risk of falling victim to clickjacking attacks. Staying informed and cautious online will help keep your personal information and devices secure.
Frequently Asked Questions (FAQs)
Q 1. What is Clickjacking?
A. It is a trick where an attacker creates a fake web page with hidden buttons or links. When a user clicks on what they think is a regular button, like a Play button on a video, they click on something hidden underneath, such as a button that likes a Facebook page selected by the attacker.
Q 2. How dangerous is clickjacking?
A. Clickjacking can be quite harmful. Attackers can use it to Gain followers on social media, Get people to sign up for newsletters, Steal money, Spread malware, and Hijack secure tokens. The extent of the damage depends on the attacker’s creativity and the vulnerability of the targeted page.
Q 3. How to prevent clickjacking attacks?
A. To protect your website from being used in a clickjacking attack, you can use a few methods. Combining the Content Security Policy (CSP) with the frame-ancestors directive and the X-Frame-Options header is a recommended approach. These tools help prevent your site from being displayed in iframes on other pages, blocking potential clickjacking attacks.
Q 4. How can I detect if my website is vulnerable to clickjacking?
A. To detect clickjacking vulnerabilities, you can perform tests such as embedding your website within an iframe on a test page. Tools and code samples provided by organizations like OWASP can help assess whether your site can be manipulated via clickjacking. Additionally, checking for proper implementation of X-Frame-Options and Content Security Policy headers can reveal potential weaknesses.
Q 5. Can clickjacking affect mobile devices and apps?
A. Yes, clickjacking can affect mobile devices, particularly through browser-based attacks or vulnerabilities in apps. On mobile devices, attackers might exploit notification delays or overlay fake elements to trick users into unintended actions. Ensuring that apps and mobile browsers are updated and using security features can help mitigate these risks.
Q 6. What are Cyber Threats: Most Common Attacks That You Must Know
Conclusion
Clickjacking is a sophisticated and evolving threat that exploits user interfaces to deceive and manipulate users into performing unintended actions. Understanding the various categories of clickjacking and implementing strong detection and prevention measures are crucial for safeguarding both websites and individual users.
Website administrators must employ technical measures like X-Frame-Options, Content Security Policy, and frame-busting scripts to protect their sites. Regular security audits and vulnerability assessments are essential for identifying and mitigating risks.
For individual users, maintaining vigilance, avoiding suspicious links and downloads, and using security tools like anti-clickjacking browser extensions and strong antivirus software are vital steps in preventing clickjacking attacks. By combining technical safeguards with user awareness, we can create a more secure online environment and reduce the impact of clickjacking threats.
