Saturday, October 15, 2011

Click Jacking or clickjacking

It is said that a single picture is worth thousand words. Similarly going through the demonstration of click jacking before actually explaining it, would be interesting. This simple demonstration(created by Tyler John Weiss ) will give you a feel of what this is about.  

demo2  EricLaw's IEInternals Blog also has some nice Demos: Check them   clickhere  nowClickhere (use IE)

The explanation is simple; you have two web pages, one over the other. The top page is invisible and the bottom one is visible. When you click on a button on bottom page(visible) you may actually click on a control on top page(invisible) which is the unintended action. So what are the dangers posed by click jacking ?
1.   Stealing personal data,  bank account information, credit card information and others.
2.   Download and install  applications without the user's knowledge.  These can be viruses, spy-ware or ad-ware.
3.   Force the unsuspecting user to click on Ads and Opinion polls.
Few months back Click Jacking was not considered a big threat, but you never know what is in store for the future as we are seeing more of these attacks. "Click Jacking" is also used as a vector for CSRF (Cross Site Request Forgery)

Latest Incidents
You catch the latest FACEBOOK attack using Click jacking on

Advice for Internet Users
1.   Do not click/follow links in forums/blogs/email/websites unless you are sure of what you are doing.
2.   Consider using  NoScript addon for Firefox.
3.   Disabling iFrames if possible.
4.   Install a user-scripting plugin and use scripts like
                          var all = document.getElementsByTagName('iframe'), l = all.length;
                          while (l--) all[l].parentNode.removeChild(all[l]);

Technical Analysis
Clickjacking attacks use malicious iFrames inserted into a Web page to trick and hijack a user's actions. The server side solutions include
1.    Frame busting code. A good paper on the is available at
2.   Using the new X-Frame-Options found in Microsoft's IE 8 and in the latest versions of most browsers.

No comments:

Post a Comment