Clickjacking is a relatively new technique to trick internet users into giving up their confidential information or letting a hacker steal access to their computers while they are browsing at what appear to be innocent sites. Clickjacking has been in the news because Microsoft claims to have solved the problem in their new browser, though more recent reviews suggest that their protection may not be as effective as was originally hoped.
Clickjacking works by hiding code on a webpage that gets activated when the user clicks on a button on the page. The page often appears to be a trusted site (or at least an innocuous site) like a computer game but is overlaid with a transparent page using a technique called frames. The user thinks that he/she is interacting directly with the visible page but in fact is clicking on invisible buttons on the transparent overlay. The buttons on the computer game are then carefully placed to match the location of the buttons on the hijacked screen. As the user plays the game, he/she is simultaneously doing something on that other screen.
If you have your own webpage, you should add some hidden “framekiller” code to your own page which will prevent it from being hijacked by a clickjacker. This will also make it slightly harder to steal any copyrighted content that you publish online though it may disrupt legitimate uses of frames.
As an internet reader, your best defense against clickjacking is to disable JavaScript. If you are a Firefox user, you can add the “NoScript” extension to your browser. NoScript lets users selectively block the scripts on each page. Because clickjacking requires scripts, the attack fails when NoScript is active. If you are an Internet Explorer user, you can control your JavaScript permissions via Tools/Internet Options or you can upgrade to IE 8 for their embedded protection.
You can read more about clickjacking at wikipedia.org.
Leave a Reply