Are you clicking what you think you’re clicking? A little-known type of security exploit should make you think twice.
Clickjacking, also called UI redressing or IFrame Overlay, is a type of attack in which a button or field is overlaid by invisible malicious scripts or links.
For example, a popup ad might leave you desperate to click the “X” without pause – but this innocuous “X” button could be overlaid with a script to download a Trojan.
The site affected by this attack need not be malicious itself. It might simply be unlucky, having been the victim of a hack or other exploit. However, you’ll also commonly find clickjacking on phishing sites, illegal streaming services that offer access to copyrighted content (including the latest episode of a particular HBO blockbuster), popunder or popover ads, and many bootleg online retailers.
The disturbing implications of this exploit become more apparent when you consider that any button, on any page, can have a malicious script or inline frame hovering over it. Additionally, the inline frame or script can discreetly hover under a user’s mouse.
The researchers who first discovered this issue, Robert Hansen and Jeremiah Grossman, had this to say on the matter:
Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc.
The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […]
Say you have a home wireless router that you had authenticated prior to going to a web site. [The malicious coding] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.
We can see that such an attack can be highly powerful. So, how can you avoid clickjacking as an end-user? Sadly, it’s just not possible to do that completely, as much of the protection from clickjacking is the responsibility of the site owner.
However, you can greatly reduce your risk by avoiding obviously shady places: warez, torrenting and illegal streaming sites, whose advertising or user interfaces may contain clickjacking scripts. Needless to say, clicking any links in phishing or spam emails is also never a good idea!
Thankfully, the solution is easier for site owners. Take note: a few simple lines of code can completely stop a clickjacking attack on your site.