The Menace of Clickjacking

Clickjacking

We are easily enticed by free stuff and end up clicking on things we should not, because once you do that wham! You have just been clickjacked. You may think that you may have just won a lottery but soon all your personal information or even worse.

A Clickjacking attack is designed to tricks user to click a webpage element that is either invisible or disguised as other visual elements. When users click on any of these elements, they open gates for malicious malware downloads or even provide sensitive information, using this information the attacker can perform illegal money transfer and theft.

To put simply, clickjacking is used for attacking users’ interactive “clicks” via concealed or transparent layers. These layers are likely placed over attack vectors such as hyperlinks and buttons.

Clickjacking attack has few variations such as:

Likejacking: With Likejacking, a Facebook “Like” button is tampered with causing the users to “like” a page or a post, which they never intended to like. The most common use of Likejacking is identity theft and the distribution of viruses, hoaxes, and social spam.

Cursorjacking: A UI redressing method that changes and deceives the users with a custom cursor image by displaying the pointer with an offset. The displayed is slightly shifted from the real pointer position. Cursorjacking mostly relies on vulnerabilities in various browsers.

The potential risks from clickjacking qualify it as common risk issue sensitive data handling apps because of its delivery method of attacks. This particular vulnerability needs a user to interact with an element of social engineering, as victims have to interact with the page voluntarily.

The risk may be a medium rating, but the impact is very high, especially when your private information like bank credentials are at stake.

The most popular reason for clickjacking is to take control of sensitive data or download malware onto the victim’s computer systems. Clickjacking is also used to publishing posts, likes or following a page in a social network without the user’s knowledge.

Clickjacking Mitigation

As a user to protect yourself from a clickjacking attack?

Besides following best practices like keeping apps and plug-ins updated, installing browser plug-ins and extensions such as ad blockers and NoScript can help protect from clickjacking attacks pre-emptively recognizing and removing threats before the site is loads entirely.

If you are a developer, then you can prevent clickjacking by making use of the Content Security Policy (CSP) standard. All modern browsers support CSP and allow you to control the content that should be allowed over the browser and approve the source of that content.

Similar to a CSRF nonce, a Unique URL request can be employed so that the attackers cannot deliver the attack URL with ease.

A CAPTCHA is used to used prevents attackers from spamming a web form; it can also similarly be used as an additional layer of verification on each transaction.

Vulnerability scanners and Website security scanners can also be employed for malware scanning and prevent a clickjacking attack.

Other non-popular but somewhat useful ways to defend against clickjacking:

Client-side methods: The most common method is Frame Busting. Client-side efforts are sometimes effective but not considered as best practices because they are vulnerable and can be easily bypassed.

Server-side methods: The most common practice is the X-Frame-Options. Server-side methods are highly secure. Hence, they are most recommended by security experts as an effective way to defend against clickjacking attacks.