Clickjacking is a type of attack that tricks a user into clicking a website element that is either invisible or disguised as another element. This hijacks a user’s click meant for one thing but leads to another.
For example: instead of clicking a button to reply, a clickjacking attack on a Twitter user can make them re-tweet a malicious domain to followers instead. This is typically seen as a browser security issue. However, such an attack can also take place in mobile applications.
Understanding the concept of clickjacking
Clickjacking is an attack that tricks users into thinking they are clicking on one thing when in fact, they are clicking on something else. Essentially, unsuspecting users believe they are using a web page’s usual user interface when in reality, attackers have imposed a hidden user interface instead.
When users click on buttons they think are safe, the hidden user interface performs a different action. This can cause users to inadvertently download malware, provide credentials or sensitive information, visit malicious web pages, transfer money, or purchase products online.
There are different variations of clickjacking attacks and because of that, the terms ‘user interface (UI) redressing’ or ‘UI redress attacks’ are often used to encompass different variations.
Also known as a user redress interface attack, the term clickjacking was coined by Jeremiah Grossman and Robert Hansen in 2008.
While clickjacking might seem like spoofing—in which the cyber attacker recreates websites or landing pages to trick users into thinking the fake pages are the original, legitimate pages—it is much more sophisticated. The website the victim is looking at in a clickjacking scheme is the real website of a known, trusted entity.
However, the attacker has added an invisible overlay over its content using various HTML technologies, including custom cascading style sheets (CSS) and iframe, which allow for content from other websites to be ported onto another website.
How clickjacking works
Clickjacking is possible because of HTML frames or iframes – i.e., the ability to display web pages within other web pages through frames. Essentially, an iframe is a frame within a frame. Iframes enable you to embed content from other sources onto your web pages.
For example, when you visit a website that has an embedded YouTube video displayed, that video exists within an iframe. This creates a clickjacking e. If a web page can be displayed within a frame, attackers can cover the original web page with a hidden, transparent layer with its own JavaScript and UI elements. The outward appearance of the web page remains unchanged, which means users have no reason to suspect anything might be amiss.
Users then navigate the web page, expecting links and buttons to work normally. But the hidden UI means the attacker’s script works instead. The attacker’s script can work behind the scenes to make it appear as though nothing is wrong. This makes a range of malicious actions possible, including:
- Installing malware
- Stealing credentials
- Activating your webcam or microphone
- Making unsolicited purchases
- Authorizing money transfers
- Identifying your location
- Boosting click stats on unrelated sites
- Boosting ad revenues on sites
- Gaining likes on Facebook or increasing views of YouTube videos
Also, remember that clickjacking isn’t just about mouse clicks. Using a combination of stylesheets, text boxes, and iframes, an attacker could fool an unsuspecting user into thinking they are typing in their password on their online banking site, when in fact they are typing it into a site controlled by the attacker.
As with other forms of cybercrime, clickjacking attacks often rely on some form of social engineering to direct the targets to the compromised or malicious site. This might be an email, a text message, a social media post, and so on.
Types of clickjacking attacks
Complete transparent overlay
Perhaps the most common clickjacking strategy, this method overlays a legitimate webpage over a malicious page. The legitimate page is loaded into an invisible iframe, and the user has no idea that a malicious page is underneath.
Cursorjacking
Cursorjacking changes the user’s cursor position to a different place from where the user perceives it. A typical cursorjacking attack replaces the actual cursor with a fake one, using an image, and offsets it from the location of the real cursor. As a result, the user believes they are making a particular action while they are really making another one.
When the victim clicks an intended element with the fake cursor, the actual cursor clicks a malicious element. The real cursor may remain visible in a cursorjacking attack, although efforts are made to focus the victim’s attention on the fake one.
Cookiejacking is a UI redress attack that steals the victim’s cookies. Once the attacker obtains the cookies, they can access the information they contain and use it to impersonate the victim. This is typically achieved by tricking the victim into dragging and dropping an element on the page. What they are actually doing is selecting the contents of their cookies on the embedded invisible page and handing that over to the attacker.
The attacker can then perform actions on the target website on behalf of the user.
Drag and drop
This is a clickjacking strategy that requires the user to do more than just click. The victim will need to fill out forms or perform another action. The web forms might look like those of the legitimate page, but when users fill out the fields, the data is captured by the cyber attacker via the malicious page underneath. The goal, as with any cyberattack, is to obtain personal or sensitive information without the victim’s knowledge.
Due to the dynamic, innovative nature of the web, including new JavaScript frameworks, cyberattacks similar to clickjacking will continue to proliferate. Victims will continue to be tricked into performing unexpected actions on websites that seem identical to sites they have used before.
As such, clickjacking might be difficult to detect, but in large organizations, as employees and customers interact with the company’s web properties at scale, odd click behavior should be reported and acted upon quickly to thwart a cyberattack.
Filejacking
Filejacking allows the attacker to access the victim’s local file system and take files. For example, when you upload a photo to social media, a file browser window appears and you can navigate your file system. In a filejacking attack, clicking the ‘Browse Files’ button (or however your browser labels it) establishes an active file server.
This potentially gives the attacker access to your entire file system.
How to prevent clickjacking attacks
If you wanted to measure the vulnerability of your website before implementing clickjacking defenses. refer to this OWASP clickjacking cheat sheet.
Clickjacking mitigation can be achieved on both the client side and the server side. Let’s discuss the options for both scenarios.
Client-side clickjacking prevention
Client-side clickjacking prevention isn’t as effective as server-side prevention tactics. These methods should be implemented as a secondary option.
1. Frame-busting scripts
Frame-busting scripts prevent your website from functioning inside a frame. Via Javascript add-ons, you can specify how a browser should react when your page is loaded in a frame.
A common frame-buster technique is to force the browser to reload the offset decoy web page at the top window. By doing so, the decoy website is loaded on top of the malicious iframe layer.
This action can be prompted with the following lines of Javascript:
<script>
if (top != window) {
top.location = window.location;
}
</script>
This defense can, however, be easily circumvented. The attacker could block the forced reload attempt with the following lines of Javascript:
<script>
window.onbeforeunload = function() {
return false;
};
</script>
Another way to circumvent frame-busting is by using the HTML 5 iframe sandbox attribute. Here’s an example of the Javascript code:
<iframe id=”decoy_webpage”
src=”https://decoy-website.com”
sandbox=”allow-scripts allow-forms allow-same-origin”>
</iframe>
By omitting the allow-top-navigation attribute, the iframe containing the decoy web page cannot be loaded on top of the invisible page. With this defense in place, the attacker can permit the browser to run scripts and submit forms.
Frame-busting scripts are not a recommended defense against clickjacking attacks. Many web browsers block frame-busting Javascript code and the browsers that don’t can be easily tricked to permit the malicious overlay.
A study by the Standford Web Security Group outlines the clickjacking vulnerabilities of frame-busting methods.
2. Install browser extensions
Anti-clickjacking browser extensions don’t provide the best user experience because they disable all the javascript on loaded websites. Many popular websites like Facebook, Twitter and YouTube run on Javascript, and these extensions will impede their functionality.
To maintain the Javascript experience on trusted sites, you would need to manually specify a whitelist
Here’s a list of Javascript-blocking add-ons for different browsers
Chrome
Scriptsafe is an extension for Chrome.
Mozilla Firefox
NoScript is a Mozilla Firefox browser add-on.
Safari
JS Blocker is a Safari browser extension.
Microsoft Edge
Javascript Toggle ON and Off is an add-on you can install on Microsoft Edge.
DuckDuckGo
Duckduckgo doesn’t have a Javascript-blocking add-on you can install, but they do offer an alternative browser specifically developed to block Javascript websites. You can access this browser here.
Internet Explorer
To disable Javascript on Internet Explorer, follow this process:
- Select the gear icon in the top right corner or press ALT+X
- From the drop-down menu select ‘Internet options’
- Click the ‘Security’ tab
- Click ‘custom level’
- Under ‘Active Scripting’ select ‘Disable-ON’
- Select ‘Yes’ to confirm
Server-side clickjacking prevention
Many clickjacking attacks occur on duplicates of legitimate websites. An attacker could clone your website and weaponize it with hijacked links hidden on top of it. Besides the devastating consequences for users, your business could suffer irremediable reputation damage.
You need to, therefore, ensure that none of your web pages can be wrapped in a <FRAME> or <IFRAME> tag.
There are two ways you can do this:
1. Specify the correct Content-Security-Policy frame-ancestors directive.
The Content Security Policy (CSP) with its frame-ancestors directive, is a highly effective cybersecurity tactic against webpage embedding.
Besides protecting your website from iframe embedding, the Content-Security-Policy also protects your website from cross-site scripting (XSS), one of the most common types of cyber attacks.
To implement this defense you need to first ensure your web server is set to return the Content-Security-Policy. Once CSP has been added to your website, the appropriate CSP frame-ancestors directive response headers can be set to disallow embedding.
The frame-ancestors ‘none’ directive will prevent all domains from embedding your website in a frame.
For example:
Header set Content-Security-Policy “frame-ancestors none;”
If you wanted to enable embedding by your domain only, you would enable the frame-ancestors ‘self’ directive as follows:
Header set Content-Security-Policy “frame-ancestors ‘self’;”
To permit a domain outside of your own to embed your web pages, you need to use the ‘data:’ scheme and specify the whitelisted URI. This, however, is not a secure method and can be bypassed by injecting multiple arbitrary data: URIs.
2. Specify the x-frame-options deny directive
The x-frame-options response header specifies whether a browser is permitted to embed your web pages in a frame.
The x-frame-options response header will eventually become obsolete and replaced by the frame-ancestor directive so it should not be your primary method of defense.
To send the correct x-frame-options HTTP headers from your website resources, you need to set the directive to ‘deny.’
For example:
X-Frame-Options: DENY
Once your x-frame-options is set to the deny directive on the server side, all attempts to load your website in a frame will be blocked. This is equivalent to the frame-ancestors none defective of the Content Security Policy.
If you wanted to permit framing by your own domain only, you would set the same origin directive as follows:
X-Frame-Options: SAMEORIGIN
This is equivalent to the frame-ancestors self-directive of the Content Security Policy. it will only permit the framing of your web content if the parent shares the same origin.
Easy ways to prevent falling victim to clickjacking
Watch for emails claiming to address an urgent matter
One of the most common ways clickjacking software gets on devices is through targeted emails. Unfortunately, in a world where hackers have stolen billions of customer accounts with contact details, it only costs pennies per account for cybercriminals to buy this information. The likelihood of cybercriminals having at least your email account on file along with its associated bank is high.
Watch out for emails that arrive in your inbox claiming to address an urgent matter requiring your attention. These emails require you to click a link, and that link could take you to a website that looks identical to your banking or other official website to fool you into downloading the latest version of the institution’s app or filling out profile information.
Do not download any suspicious apps
If the goal of clickjacking is to get you to download an app, the app is probably malware that captures and steals all your credentials. In other cases, the website itself could be the source of the malware that sneaks onto your device.
Regardless of how it happens, the malware presents false input layers for you to fill out.
Stay vigilant by not downloading any app you are unsure of. Always download apps onto devices through authorized app stores. The official app stores have both software agents and human beings working to weed out malware and inappropriate content.
Use a robust antivirus
To protect yourself against cybercrimes, including clickjacking, it’s strongly recommended to use a comprehensive antivirus. A quality antivirus should work 24/7 to secure your devices and data, blocking common and complex threats like viruses, malware, ransomware, spy apps and all the latest hacker tricks.
Avoid clicking on too-good-to-be-true Google or Facebook ads
It’s important to avoid clicking on ads on search engine results pages or social media that appear to offer something too good to be true or promote news or stories that seem out of the ordinary. In some cases, clicking on these items could take you to a website that downloads clickjacking software onto your computer.
Instead, look for the news on an alternative channel, such as a reputable, long-standing news source. If the news is real, it won’t be hard to find on valid outlets.
It’s important to stay vigilant against clickjacking attacks. Fortunately, most browsers these days have built-in protection against clickjacking, either by blocking malicious websites or warning users that they are about to access a potentially dangerous site.
By practicing cyber hygiene and avoiding online service providers that offer free or pirated services, it is possible to stay safe against clickjacking.
Recommended Articles
- SOC Cybersecurity: Security Operations Center (Soc) Explained
- Juice Jacking: What It Is & How To Prevent It
- What Is A Passphrase? Everything You Need To Know
- Smishing and Phishing: What Is The Difference?
- PII In Cybersecurity: What Is It And How Does It Work?
- Spoof Calling: What Is It & How Do You Avoid It?
References
