What is Clickjacking?
Most threats like phishing and malware are well known and understood by users, others like "clickjacking" remain less familiar. The term "clickjacking" is a compound of "click" and "hijacking". It refers to a malicious technique where attackers trick users into clicking on something different from what they perceive. In essence, an attacker can "hijack" clicks and make users perform unintended actions.
How does clickjacking work?
Clickjacking is typically accomplished using a combination of embedded content and a transparent layer. This is a simplified breakdown of the process:
Page with an embedded page
Attackers create a page and embed a legitimate web page,
e.g. a login to a service, by using an IFRAME.
Invisible frame
The attackers arrange an invisible (transparent) frame on top of the IFRAME with the legitimate page.
They also place invisible controls on that frame at the same position as the controls of the legitimate page.
Deceptive prompt
The attackers now lure the user to open the page in a browser, e.g. via a phishing email.
↓Unintended action
When the user attempts to interact with what they see, they are unknowingly interacting with the hidden layer. This causes them to perform actions they do not intend, like downloading malware, submitting credentials, or making online transactions.
Why is clickjacking dangerous?
Successful clickjacking attacks may have severe consequences:
- Privacy breaches / account hijacking: attackers might gain access to the user's personal computer and/or online accounts.
- Unintended transactions: users can be tricked into making unwanted transactions, e.g. purchases or bank transfers.
- Social media manipulation: users can unintentionally share content or like pages, potentially spreading misinformation or unwanted content.
How to Protect Yourself from Clickjacking
As a user:
- Modern web browsers come with built-in security mechanisms to prevent clickjacking attacks, so make sure you always run the latest version of a modern browser like Google Chrome, Firefox, or Safari.
- Approach all links with caution. Assume that there is nothing like a "safe channel": links are can be found on websites, and are being posted on social media and sent over email and messengers like Microsoft Teams, Slack, and others. Google Safe Browsing, web proxies, web filters, and EDR (Endpoint Detection and Response) tools all do a decent job of filtering threats, but they might not know of the latest threat that was released 2 minutes ago.
- Look for signs: if you clicked on a button and it lead to an unexpected result, it might be a clickjacked page. Double-check the full (!) URL. Be vigilant.
As a webmaster: implement:
X-Frame-OptionsHTTP response header for all your websitesContent-Security-Policyframe-ancestorsdirective
The second option obsoletes the first in all modern browsers.
Conclusion
Clickjacking is a subtle yet significant threat. By understanding its mechanisms and by staying updated with preventive measures, users can navigate the web in a secure manner. Webmasters should implement the technical measures described in this post.
References
Google Safe Browsing
MDN (Mozilla Developer Network): X-Frame-Options
MDN (Mozilla Developer Network): Content-Security-Policy
Can I use: HTTP header: Content-Security-Policy: frame-ancestors
