Clickjacking: What You Need to Know
Clickjacking is a form of client-side, web-based attack in which the attacker tricks the victim into clicking areas of disguised/obfuscated HTML elements, such as the IFRAME, APPLET, OBJECT, or other HTML elements that can display externally loaded resources. The clickjacking technique aims to circumvent the stringent security policies of the browser and all of its components by forcing the user to perform the necessary malicious actions on behalf of the attacker—without realizing that he or she is under an attack.
The clickjacking technique is an old form of an attack that was reincarnated recently with help from Jeremiah Grossman and Robert (rsnake) Hansen, two researchers known for several discoveries of web and client-side (more specifically, browser-related) vulnerabilities. Ever since Grossman and Hansen's public statement about their finding, the clickjacking technique has been discussed in full on several niche blogs and information security resources online, including ha.ckers.org, hackademix.net and GNUCITIZEN.
In this article, we'll look into what clickjacking is and what you need to do to protect yourself as a web application developer and as a user.
What Is Clickjacking?
The clickjacking technique falls into the category of graphical user interface (GUI) attacks. Another attack in the same category is the infamous file-input focus-stealing bug, with all of its variations, which allows attackers to steal any file from the filesystem when the victim is tricked into typing characters into a seemingly harmless text field. The clickjacking attack is also what security researchers call a design bug. Essentially, clickjacking is possible because of several design limitations. Design bugs are difficult to fix because they usually require change of the affected system's design, which is something that may not be very trivial to do. Very often, design bugs stay unfixed.
To understand how clickjacking works, consider the following example. You visit your Facebook account. On your dashboard is a notification that one of your friends wants to share a new story with you, so you follow the link inside her message. Once you click the link, a new tab opens inside your browser, displaying a strange but rather harmless-looking message (see Figure 1). The page simply asks whether you'd like to use AJAX in order to preview the content of the page, as it will improve your user experience. There's only one button, so you hurry to click it and move on.
Game over—you've been clickjacked! The longer you stay on this page, the more auditory and visual data will be retrieved from your current surroundings, via your microphone and camera. You've been cyber-bugged.