What is Clickjacking
Without learning more, clickjacking already sounds pretty nefarious. It conjures images of hijacking, which is never a good thing. Well, that’s not by accident. Clickjacking is a digital form of hijacking that can do a lot of damage to its victims, whether individual users or organizations.
But what is clickjacking exactly, and how does it happen?
Summary: Clickjacking tricks users into clicking on seemingly safe buttons or links on a trusted website. However, the interface of the website has been changed by a cybercriminal. Once interacted with, the altered interface will perform malicious tasks like downloading malware or stealing sensitive information of the user.
How Clickjacking Works
Clickjacking is a cyberattack that targets two victims and can have disastrous consequences. First, the host website serves as a platform for the clickjacking attack. Secondly, the user or site visitor interacts with the hidden interface.
But here’s why clickjacking attacks are dangerous. They’re very easy to carry out on unsuspecting web hosts and internet users because of how html frames work.
Html frames, also known as iframes, stand for the ability to embed web pages into other web pages. Iframes are frames within frames and are crucial for displaying web content as you know it.
For example, any embedded YouTube video on a blog, news website, social media page, and other sites is actually a video inside an iframe.
This is what makes clickjacking attacks scary. Any web page that could be displayed, or embedded in a frame is at risk of having its original content covered with a hidden layer. This hidden layer is transparent, which is why users get tricked and use the attacker’s UI elements.
To anyone visiting the malicious site, its original content may seem intact. However, the hacker’s hidden UI elements are interactive. When users click on the genuine buttons and links on the hacked web page, they interact with the hidden UI instead.
Although this type of cyberattack is called clickjacking, it doesn’t rely just on users clicking certain elements on a web page. The same technique can be used to trick users into typing in their login credentials, passwords, and banking information.
This is done using various text boxes and stylesheets within iframes. In this type of attack, you could end up logging into an investment or banking platform without knowing someone is receiving all of your keyboard hits.
Results of Clickjacking Attacks
Each clickjacking attack can be different, but the goal is usually financial gain. The majority of clickjacked web pages install malware on users’ devices, steal credentials or financial information, authorize money transfers, or attempt to make unsolicited purchases.
All of these actions could help an attacker make a lot of money.
Of course, there are instances when clickjacking is performed with a less nefarious scope. For example, clickjacking can be utilized to get more clicks on specific ads and boost ad revenue.
It can also be used to get more likes on social media platforms or video sharing platforms. In these cases, the users are still tricked into doing something they didn’t want, but the clickjacking is harmless for them.
Other types of clickjacking attacks could be even more invasive and attempt to pinpoint the user’s location, activate their webcam, or turn on their microphone.
There’s no reason to go into the dangers of stalking, bullying, identity theft, or digital blackmail that can result from this.
There are some limits to what a clickjacking attack can achieve. That said, there’s a pretty long list of potentially destructive actions a hacker may deploy.
Examples of Clickjacking Attacks
Clickjacking can be categorized based on how the attack is carried out, its target, the vulnerabilities it exploits, or the attacker’s goal. Of course, all variations come from the classic clickjacking attack.
This type of clickjacking requires hiding layers on web pages in order to manipulate users into taking actions they didn’t previously agree to.
Popular uses for classic clickjacking include tricking users into buying products.
For example, you may find an email in your inbox with news of a product release or a new service you might be interested in.
When you click the link to check it out, you land on what appears to be a normal page. Perhaps you even find an embedded YouTube video displayed with a product description or presentation.
However, once you hit play, you can also trigger a purchase action on the Amazon embedded invisible page using iframes.
Naturally, the stars have to align for classic clickjacking to work. Users must be logged into their Amazon accounts and have one-click purchasing enabled, and there are certain browser incompatibilities hackers should work out.
But when you consider that these attacks happen on a large scale, pretty much like spam emails, someone eventually falls victim.
A likejacking attack is usually aimed at social media pages. In this scenario, an attacker tries to trick the unsuspecting user into hitting a like button on Facebook, Twitter, YouTube, LinkedIn, etc.
For this attack to work, users must be logged into their respective social media accounts. Otherwise, clicking the link wouldn’t automatically trigger the like action.
However, since most people are logged into their social media accounts 24/7 and even use them to register or log into other websites, likejacking has a high chance of success.
In fact, likejacking goes back at least to 2009 with the infamous “tweet bomb” attack. That attack created a long-lasting cycle of users opening tweeted links and hitting a clickjacked link in the newly opened webpage.
Upon hitting the link, Twitter users automatically retweeted the original link on their own accounts. This prompted other suspecting users to do the same.
Similar instances of likejacking happen all the time on other platforms, especially Facebook. They’re used to boost likes and make certain pages more popular and visible.
A cursorjacking attack creates a duplicate cursor. When the user tries to navigate a web interface, they’re actually moving the duplicate cursor instead of the real one.
Why is this dangerous?
Cyber criminals engineer the fake cursor with a desired offset. This can cause the user to click unwanted or even hidden links when reaching a particular part of the screen.
Cursorjacking was prevalent for a while in Firefox browsers due to some vulnerabilities. Since Firefox 30 came out, however, these attacks have become less common.
A filejacking attack is one of the most dangerous forms of clickjacking. It essentially enables attackers to hijack a user’s local file system through the file browser window.
While macOS and Linux-based systems aren’t as vulnerable, Windows devices can encounter these attacks regularly.
Filejacking can occur when unsuspecting users attempt to upload media files on social media pages or other websites. They must use the file browser window to find the files if they’re uploading from their device instead of the cloud or a URL.
But during an attack, using the file browser can actually create an active file server that runs in the background. A hacker can use it to steal important documents, proprietary information from an organization’s file library, or even install malicious software.
Cookies blur the lines between usefulness and invasion of privacy. There isn’t a website today that doesn’t use some form of cookies to either make navigation smoother, simplify the login process, or track user activities.
But while some hate cookies for their monitoring and recording capabilities, there’s another reason to be concerned.
Cookies can be stolen through clickjacking attacks called cookiejacking. Using the same classic technique of embedding hidden layers into websites using iframes, attackers can trick users into handing over their cookies.
Once a hacker hijacks the cookies, they may have the same level of access to specific websites as a user. This could include posing as them on social media, getting into their banking platforms, etc.
A browserless clickjacking attack is usually aimed at mobile devices like smartphones and tablets. This type of cyberattack doesn’t rely on browser vulnerabilities or the users being logged into specific websites.
Instead, the attacks replicate a classic clickjacking technique using the interfaces of various apps.
Many browserless clickjacking scenarios involve toast notifications. These notifications have delays between their request and the moment they’re displayed.
Those delays can give attackers enough time to embed fake buttons and links, similar to how they use iframes on web pages. Therefore, when the user finally taps the notification, they’ll also trigger an unwanted action by tapping the hidden button.
Clickjacking Prevention Methods
Like most types of cyberattacks, clickjacking can be prevented using specific security measures on the server and client-side.
While both have their merits, server-side clickjacking security protocols are the most important.
At its core, almost every clickjacking attack relies on duplicating, hijacking, or cloning a legitimate website or web page.
Therefore, protecting target websites from being weaponized is a top cybersecurity concern. Not only would a successful hijacking put users at risk, but it could tarnish the website owner’s reputation beyond repair.
To prevent clickjacking, it’s imperative to make all web pages on a website unwrappable using iframe or frame tags.
Method 1 – Implementing the Right Content Security Policy Frame Ancestors Directive
A content security policy, or CSP, with a frame ancestors directive is a cybersecurity technique that prevents webpage embedding.
The content security policy can disable iframe embedding as well as protect web pages against cross site scripting or XSS cyberattacks.
This requires configuring the web server to return the CSP and setting the frame ancestors directive response headers value to something that doesn’t allow embedding within exterior domains.
It should look something like this.
· Header set Content-Security-Policy “frame-ancestors none;”
· Header set Content-Security-Policy “frame-ancestors self;”
The first header value prevents all embedding. The second header value enables embedding but only on your domain, meaning attackers can’t use your web pages, but you retain the option to embed your own web pages.
Method 2 – Changing X-Frame-Options Header Directive
Like the frame-ancestors directive, the x-frame-options directive sets rules for how browsers are allowed to embed certain web pages using frames.
You have two settings to protect against clickjacking.
· X-Frame-Options: DENY
· X-Frame-Options: SAMEORIGIN
These two header settings are quite similar to the previous settings. The first one blocks any attempts to embed a website or specific web pages into a frame on another site.
The second header setting permits embedding only on the same top-level domain.
While it’s a good idea to use both methods, the frame-ancestors directive is arguably superior and may even replace the x-frame-options directive entirely in the future.
The best current server-side prevention is to use the content security policy frame ancestors self directive in combination with the x frame options header. This ensures more protection across multiple browsers.
There are some notable client-side clickjacking prevention methods. But you should know that these have plenty of vulnerabilities, can be circumvented, and may not even work without proper server-side clickjacking defense.
These days there are browser extensions for virtually anything. Unsurprisingly, you can easily find anti-clickjacking extensions for various browsers.
· Chrome: Scriptsafe
· Firefox: NoScript
· Safari: JS Blocker
The list can go on.
Of course, users can always whitelist their favorite sites, but that defeats the purpose of the extensions.
Being Aware of Clickjacking
Like many other types of cyberattacks, clickjacking relies quite heavily on social engineering. This means that attackers have to work hard and convince users to click on specific links or head over to hijacked websites.
Browser extensions can be helpful to a minor extent, but awareness and developing better browsing remain the best client-side clickjacking prevention methods.
One way to treat the threat of clickjacking is to think of it in terms of phishing. Emails with promises of free prizes for contests you didn’t enter are best avoided.
Downloading apps you didn’t actively search for is never a good idea, especially when they’ve been flagged as unsafe.
Clicking Google or Facebook ads without doing your due diligence can leave you vulnerable to clickjacking attacks.
Take your time when reading news alerts, press releases, and newsletters. Attackers will often try to create a sense of urgency around tuning into the latest reports, jumping at an opportunity to enter a contest, etc.
And remember to do these things even when the information may sound legitimate. Due to how easy it is for hackers to buy contact information like emails with associated social media accounts, they can do a lot of research.
That’s when phishing turns into spear phishing, and the content is more personalized. But if you always keep your guard up, you will be able to tell when someone’s trying to scam you.
It’s also worth asking around about what security protocols your favorite websites use. If they don’t do much to prevent clickjacking, then you’ll know to either change your browsing habits or be on the lookout for embedded elements of those websites on other pages.
One of the Many Digital Dangers
Clickjacking attacks are no joke. Despite being technically challenging to pull off, they can have disastrous consequences for the victims. Add to that the fact that there’s little client-side protection you can use aside from good judgment, and the thought of being clickjacked is even scarier.
That’s still no excuse to forget about protecting your devices with anti-malware software. Clickjacking attacks can be taken in many directions by a seasoned hacker. Not all of them involve cloning keystrokes or getting likes on social media.
Sound judgment and a proper cyber security suite will reduce the chances of getting infected with malware, losing access to your files, or unwillingly sharing confidential information.
Frequently Asked Questions
Why is clickjacking used?
The three major reasons to launch a clickjacking attack are to gain access to a device or its peripherals, download and install malware in the background, and trick users into typing login credentials or financial information.
What is a clickjacking example?
A user may click on a button or link indicating they’re about to book a trip or subscribe to a newsletter while simultaneously authorizing a money transfer from their bank account, due to a fake user interface hidden in an invisible iframe.
Are clickjacking and CSRF different?
Clickjacking attacks depend on the user interacting with hidden UI elements. CSRF, or cross-site request forgery, exploits a different web security vulnerability that doesn’t depend on users actually interacting with the UI elements.
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor is a Dutch engineer and entrepreneur. He has tested security software since 2014.
This website is hosted on a Digital Ocean server via Cloudways and is built with DIVI on WordPress.
Don't take chances online. Protect yourself today:
Protect your Devices
Protect your Privacy
Or directly visit the #1: