Clickjacking
Encyclopedia
Clickjacking is a malicious technique
of tricking Web
users
into revealing confidential
information or taking control of their computer while clicking on seemingly innocuous web page
s. A vulnerability
across a variety of browsers and platform
s, a clickjacking takes the form of embedded code
or script that can execute without the user's knowledge, such as clicking on a button
that appears to perform another function.
The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.
Clickjacking can be understood as an instance of the confused deputy problem
.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, therefore the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
Other known exploits include:
is a privacy browser extension available for the 5 primary browsers that enables its users to easily detect and control tags, web bugs, pixels, and beacons that have the potential to collect data on their browsing habits. This way it can prevent clickjacking involving social networks like Facebook or Twitter by blocking their scripts on others web pages.
desktop and mobile versions by installing the NoScript
add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets. According to Google's "Browser Security Handbook", NoScript's ClearClick is "the only freely available product that offers a reasonable degree of protection" against Clickjacking.
project secure web browser based on IE, that uses an OS
-like security model, and has its own limited defenses against clickjacking. In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.
JavaScript snippet in those pages they do not want to be included inside frames from different sources.
Such JavaScript-based protection, unfortunately, is not always reliable. This is especially true on Internet Explorer, where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
of tricking Web
World Wide Web
The World Wide Web is a system of interlinked hypertext documents accessed via the Internet...
users
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
into revealing confidential
Confidentiality
Confidentiality is an ethical principle associated with several professions . In ethics, and in law and alternative forms of legal resolution such as mediation, some types of communication between a person and one of these professionals are "privileged" and may not be discussed or divulged to...
information or taking control of their computer while clicking on seemingly innocuous web page
Web page
A web page or webpage is a document or information resource that is suitable for the World Wide Web and can be accessed through a web browser and displayed on a monitor or mobile device. This information is usually in HTML or XHTML format, and may provide navigation to other web pages via hypertext...
s. A vulnerability
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
across a variety of browsers and platform
Platform (computing)
A computing platform includes some sort of hardware architecture and a software framework , where the combination allows software, particularly application software, to run...
s, a clickjacking takes the form of embedded code
Code
A code is a rule for converting a piece of information into another form or representation , not necessarily of the same type....
or script that can execute without the user's knowledge, such as clicking on a button
Button (computing)
In computing, a button is a user interface element that provides the user a simple way to trigger an event, like searching for a query at a search engine, or to interact with dialog boxes, like confirming an action.-Description:A typical button is a rectangle or rounded rectangle, wider than it is...
that appears to perform another function.
The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.
Clickjacking can be understood as an instance of the confused deputy problem
Confused deputy problem
A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
.
Description
Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, therefore the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
Examples
A user might receive an email with a link to a video about a news item, but another valid page, say a product page on amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.Other known exploits include:
- tricking users into enabling their webcam and microphone through Flash (which has since been corrected by Adobe);
- tricking users into making their social networking profile information public;
- making users follow someone on Twitter;
- share links on Facebook
Ghostery
GhosteryGhostery
Ghostery is a free privacy browser extension for Internet Explorer, Opera, Mozilla Firefox, Apple Safari, and Google Chrome that enables its users to easily detect and control tags, web bugs, pixels, and beacons that have the potential to collect data on their browsing habits...
is a privacy browser extension available for the 5 primary browsers that enables its users to easily detect and control tags, web bugs, pixels, and beacons that have the potential to collect data on their browsing habits. This way it can prevent clickjacking involving social networks like Facebook or Twitter by blocking their scripts on others web pages.
NoScript
Protection against clickjacking can be added to Mozilla FirefoxMozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
desktop and mobile versions by installing the NoScript
NoScript
NoScript is a free and open-source extension for Mozilla Firefox, SeaMonkey, and other Mozilla-based web browsers, created and actively maintained by Giorgio Maone, an Italian software developer and member of the Mozilla Security Group...
add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets. According to Google's "Browser Security Handbook", NoScript's ClearClick is "the only freely available product that offers a reasonable degree of protection" against Clickjacking.
GuardedID
GuardedID (a commercial product) includes client-side clickjack protection for users of Internet Explorer and Firefox without interfering with the operation of legitimate iFrames. GuardedID clickjack protection forces all frames to become visible.Gazelle
Gazelle is a Microsoft ResearchMicrosoft Research
Microsoft Research is the research division of Microsoft created in 1991 for developing various computer science ideas and integrating them into Microsoft products. It currently employs Turing Award winners C.A.R. Hoare, Butler Lampson, and Charles P...
project secure web browser based on IE, that uses an OS
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
-like security model, and has its own limited defenses against clickjacking. In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.
Framekiller
Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekillerFramekiller
A framekiller is a piece of JavaScript code that doesn't allow a Web page to be displayed within a frame. A frame is a subdivision of a Web browser window and can act like a smaller window...
JavaScript snippet in those pages they do not want to be included inside frames from different sources.
Such JavaScript-based protection, unfortunately, is not always reliable. This is especially true on Internet Explorer, where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an