您的 IP 地址: 未知 · 您当前的状态: 受保护未受保护的未知

NordVPN

在线安全性和私密性

NordPass

密码管理

NordPass Business

企业密码安全整体方案

NordLocker

云存储加密

博客 In Depth

What is clickjacking: A simple explanation

Imagine you’re on a website that’s offering you a free trip to your dream holiday destination. All you need to do is fill in your details and click ‘Book now.’ You do. However, instead of a trip of a lifetime, you see that a lump sum of money has been charged from your bank account. You’ve just become the victim of clickjacking.

Emily Green

Emily Green

Feb 12, 2020 · 3 min read

facebook Facebook
twitter Twitter
Copy link Copy link
What is clickjacking: A simple explanation

What is clickjacking?

Clickjacking, also known as a UI redress attack, is a common hacking technique in which an attacker creates an invisible page or an HTML element that overlays the legitimate page. It’s meant to trick you into clicking on a particular button or an element on that page. In clickjacking, you may think that you’re clicking on a legitimate button, but you’re actually clicking on a transparent overlay. This transparent element might:

  • Secretly download malware on your device;
  • Direct you to a malicious website;
  • Harvest your login credentials;
  • Spread worms on social media;
  • Pay for something you didn’t intend to buy;
  • Activate your webcam and/or microphone.

Clickjacking variations

Clickjacking attacks also have a few variations:

  • Likejacking – a technique used to manipulate the Facebook Like button. When it’s clickjacked, you “Like” pages you didn’t intend to.
  • Cursorjacking – a technique used to manipulate your cursor. It changes its position from where you perceive it to be somewhere else. This technique is mostly used to exploit vulnerabilities found in Adobe Flash and Firefox. However, these have now been fixed.
  • Browserless – a technique that, as the name suggests, doesn’t require a browser. This method is usually used on mobile devices to hijack toast notifications.
  • Cookie jacking – in this attack, a hacker steals your browser cookies. Usually, victims are prompted to move a harmless object but in reality copy the entire content of their cookie and give it to the hacker.
  • File jacking – a technique in which a hacker tricks you into establishing an active file server connection on your web browser so they could access files on your device.

A classic clickjacking example

The attacker creates an attractive page that offers a free trip to the Maldives and makes it as enticing as possible. While you are on that page, the hacker checks whether you are also logged into your bank account. If so, an invisible iframe loads on top of the booking page. You cannot see it because it’s transparent, but it’s a bank transfer form.

Related articles
News · 2 min read Are smart toilets the future? By Paul Black · Sep 29, 2021
In Depth · 3 min read What is an attack vector? By Charles Whitmore · Feb 02, 2022

Your payment details are then automatically inserted into the form by your browser. Because you really want to get that free trip, you click on what you think is the ‘Book my trip’ button, which is actually the payment confirmation button. The money is then wired to the hacker without your knowledge. Now you may or may not be sent to a new page, or you may receive an email “confirming” your booking. However, it’s more likely you’ll be making a trip to your bank rather than the Maldives.

Clickjacking prevention

1. Server-side

Clickjacking doesn’t affect the website itself, but if you do own one, a hacker could use your content, create a lookalike website with a similar URL and use it in a clickjacking attack. Because clickjacking attacks are based on wrapping a page in an iframe and then adding invisible elements on top of it, you need to make sure that framing is disabled to protect your site. You can do so via:

  1. The X-Frame Options HTTP header can be used to determine whether the browser should allow the page to be wrapped in frame, iframe or object tags. There are three values you can choose from:
    • DENY – doesn’t let browsers display your page in a frame;
    • SAMEORIGIN – lets browsers display your page in a frame on another page but only if it’s from the current domain;
    • ALLOW-FROM *uri* – the page can be displayed in a frame, but only one from specified origins.
  2. The Content Security Policy HTTP header offers a broader range of security than X-Frame Options. It allows you to whitelist domains that are allowed to embed pages and domains from which resources such as scripts and fonts can be loaded.
  3. Frame killing is a technique that is mostly used for old browsers. All you need to do is to insert frame killing Javascript into pages that you don’t want to be included in foreign iframes. Most web pages don’t need to be embedded. Therefore, frame killing is easy to set up, and it provides a high level of protection against clickjacking.

2. Client-side

Clickjacking can be worrisome for users, but you can defend yourself by installing browser extensions. Some will prevent you from clicking on invisible or “redressed” page elements. You can try NoScript's ClearClick for Mozilla Firefox or NoClickjack if you use Chrome, Mozilla, Opera or Microsoft Edge. The latter extension will provide you protection without interfering with legitimate iFrames. Both extensions are free to use.

facebook Facebook
twitter Twitter
Copy link Copy link
Emily Green
Emily Green success Verified author
Emily Green is a content writer who loves to investigate the latest Internet privacy and security news. She thrives on looking for solutions to problems and sharing her knowledge with NordVPN readers and customers.
Next article
Next read NordVPN for iOS: release notes Elle Friberg · Feb 09, 2022

Trending articles

Trending article
How-To · 4 min read What is spyware and how can you protect yourself? Paul Black · Feb 14, 2022
Trending article
News · 5 min read How to protect yourself from the Zeus virus Malcolm Higgins · Feb 11, 2022
Trending article
Service Updates · 4 min read Cybersecurity beyond VPN: we’re launching Threat Protection Elle Friberg · Feb 09, 2022
Trending article
Service Updates · 7 min read NordVPN for iOS: release notes Elle Friberg · Feb 09, 2022