- Security

Clickjacking: What Is It, And How Can You Avoid It?

When it comes to ways that hackers and malware distributors gain access to your computer, there are some things that get talked about a lot: social engineering, SQL injection, DDoS attacks, and so on. But one attack that doesn’t get talked about as much that’s just as nefarious as the others is clickjacking.

Clickjacking is difficult to detect, can affect just about anyone, and is spread across a wide variety of operating systems and applications. Here’s what you need to know about clickjacking, including what it is, where you’ll see it, and how to protect yourself against it.

What Is Clickjacking?

As you might have gathered from the name, clickjacking is the process of hijacking a user’s click on a computer (it can also be used to hijack keystrokes, but “keystrokejacking” is a whole lot harder to say). There are a number of ways that this process can take place, but they all have one thing in common: a user thinks they’re clicking on one thing, when in reality, they’re clicking on something else.

Many clickjacking attacks include a transparent user interface placed over another interface that the user is expecting to see (which is why “UI redressing” is another name for this method). Then, when that user thinks they’re clicking on something, they’re actually clicking on something else that they can’t see. You might think you’re clicking on a link that will sign you up for a cool newsletter, when you’re actually clicking a button that gives a cybercriminal access to your email account, for example.

Another type of attack changes the actual position of the user’s cursor, but leaves the display untouched, so that the cursor looks like it’s in one place, but is actually in another. Sounds like it would just be a big annoyance, but it can be used to get people to click on things that give away sensitive information.

Some other creative attacks fall under the umbrella of clickjacking, too. For example, a recent attack used a piece of malware to redirect users’ searches on Bing, Google, and Yahoo to customized (and fraudulent) results pages that were full of Google-AdSense-powered ads. Users would click on the ads, thinking they were legitimate search results, and the attackers would get paid.

clickjack-transparency

Some people even include social-engineering-type attacks in clickjacking; for example, back in 2009, a tweet was going around Twitter that said “Don’t Click” and included a link. Whenever someone clicked on the link, the same thing would be tweeted from their account. Similar techniques have been used to spread money-generating links on Facebook.

Clickjacking isn’t just limited to websites and apps in which users have a mouse, though; it can also happen on mobile devices. One recent example is Android.Lockdroid.E, a piece of Android ransomware that used clickjacking (or “touchjacking,” if you prefer) to gain administrative rights to the target device. And we’ve recently heard about the Accessibility Clickjacking vulnerability on Android smartphones and tablets.

What You Can Do to Prevent Clickjacking

Unfortunately, there’s not a whole lot you can do to prevent clickjacking unless you’re a website administrator. By far the most commonly recommended method of protecting yourself while you’re browsing is to use NoScript, the Firefox add-on that prevents scripts from loading without specific authorization from you. NoScript has some specifically anti-clickjacking features, and is really good at detecting the kinds of scripts that create transparent overlays on websites.

noscript-firefox

Any similar extensions that you can use to prevent scripts or apps from loading will also provide some protection.

The best defenses against clickjacking, however, need to come from site admins. Many of the defenses are rather technical, and if you want to find out exactly how to implement them, I recommend checking out the Clickjacking Defense Cheat Sheet from OWASP.

One of the best ways to go about preventing clickjacking on your site it to include an x-frame-options HTTP header that prevents your site’s content from being loaded in a frame (<frame> tag) or iframe (<iframe> tag). Because these are often used as attack vectors — not just for clickjacking, but for other threats as well — this is an effective way of mitigating the threat.

x-frame-options

Preventing cross-site scripting (XSS) will also help reduce the chances of a clickjacking attack on a site. Because XSS is also used for other attacks, it’s a good idea to protect against it anyway.

To minimize the likelihood of a clickjacking attack on your mobile device, you may want to restrict yourself to only downloading apps from trusted sources, like the Apple App Store or the Google Play Store. While this isn’t a guarantee that you’ll be free from attacks, these apps are considerably less likely to include malicious code than those you get from a third-party source.

You can also avoid using in-app browsers, as this is a common place for touchjacking attacks to occur. Set the default behavior for link-opening in your apps to open in the system browser, instead of the in-app browser, and you’ll eliminate one more potential weakness in your defense.

A Real Threat

As mentioned before, clickjacking sounds like more of an annoyance than a real threat to your security, but if it’s used effectively, it can help attackers steal some very important information or gain access to your online accounts, where they could do serious damage.

And while most of the defense has to come from behind the scenes, you can use script-blocking extensions to prevent most of these attacks — if you’re okay with using these kinds of add-ons, as they’re a bit controversial.

Do you know of any examples of large-scale clickjacking attacks, or have you been the victim of one of these attacks? Do you use NoScript or deploy any defenses on your own website? Share your thoughts below!

Image credit: Mozilla.

About Dann Albright

Read All Posts By Dann Albright