Clickjacking is a malicious technique during which a victim is tricked into clicking on a URL, button or clickable object other than that intended by or perceived by the user.

This is done by displaying invisible pages or HTML element, via frames, on top of the page the user sees. The user will continue to navigate the webpage expecting buttons and links to work as expected but behind the scenes it is causing malicious actions to occur such as:

  • Installing malware
  • Stealing credentials
  • Activating webcams or microphones
  • Making unsolicited purchases
  • Authorizing money transfers
  • Identifying locations
  • Boosting click stats on unrelated sites
  • Boosting ad revenues on sites

Types of clickjacking

Likejacking

This technique is used on social media, tricking users into liking pages that they didn’t intend to. For example, the hacker might manipulate the Facebook like button.

Cursorjacking

Cursorjacking is a UI redress technique which changes the cursor position to a different place than the user perceives it. The cursor is usually replaced with a fake one, using an image, and offsets the location of the user’s real cursor. This means that the user will think they are carrying out one action when they are actually completing a different malicious action in the background.

Cookiejacking

This type of UI redress attack steals the victim’s cookies. By obtaining the cookies, the attacker can access information contained within them and use it to impersonate the victim.

Filejacking 

The attacker uses this technique to access the victim’s local file systems and steal files from within them. When uploading an image, for example, a window will come up allowing you to browse the files on your device. During this type of attack, clicking the “Browse Files” button will establish an active server, giving the attacker the potential to access your entire file system.

Prevention and Protection

To defend against clickjacking, web developers and organizations can implement several protective measures:

X-Frame-Options Header

This HTTP response header can prevent a webpage from being embedded in an iframe, stopping clickjacking attempts.

Content Security Policy (CSP)

A CSP allows developers to specify which content sources are allowed, reducing the risk of malicious overlays being implemented.

User Education

Users should be educated about the risks of clicking on suspicious links or buttons and encouraged to check the legitimacy of a webpage before interacting with it.