Clickjacking: Classification, Origin & Prevention Techniques
Clickjacking is a malicious hacking technique, also known as a “UI redress attack” which prompts a user into clicking something that isn’t what it actually seems or perceived. It can be a redirection link or perhaps a misleading URL which takes users to another application, domain or both.
Such an action from a user also reveals confidential information to the hacker or attacker, allowing them to illegally seize control of the user’s system. With many different cybercrimes already taking their toll on the web, let’s have a look at clickjacking, its types and prevention methods.
If your business deals with web development for instance, the details below will surely help you out!
Classification of Clickjacking
Listed below are common types of clickjacking and how they attack:
- Classic: It mostly works via common web browser
- Likejacking: It camouflages various Facebook platform capabilities to trick users
- Nested: It’s designed specifically to affect Google+
- Cursorjacking: It manipulates the appearance and location of the cursor on the computer or when browsing online.
- MouseJacking: It takes illegal control or is injected to the keyboard and/or mouse through a remote RF link.
- Browserless: As the name says, it works without using a browser
- Cookiejacking: It works by acquiring cookies and cookie data from various browsers
- Filejacking: It further sets up or turns the affected device into a file server
- Password Manager Attack: A types of clickjacking that targets vulnerability in the browsers’ autofill capability
History & Origin
Back in 2002, it was discovered that loading a transparent layer on a webpage triggers or impacted by the user’s input unwillingly or noticing. Such a thing was ignored back then until 2008 when Robert Hansen and Jeremiah Grossman found out that Adobe Flash Player was vulnerable to clickjacking that allows an attacker to illegally gain access to a user’s system without letting them know.
The term “clickjacking,” was then coined by both the originators who identified the malware. More attacks of similar nature surfaced which further modernized the term into “UI redressing” which also classified the attack into many different categories based on the way it tricks users and attacks.
Clickjacking Common Examples
Money Transfer Fraud
In this particular type of UI redress attack, hackers trick users into clicking a link to a malicious page which transfers money from the bank account. Provided below is a brief to how it actually works:
The user is presented with a harmless website or a page link that can even be loaded from an email link offering something lucrative and irresistible such as a free gift, a vacation deal and so on. In real, these are actually funds transfer confirmation link(s) disguised under a web application layer hence it’s also known as “UI redress”. While the money transfer takes place, users are further redirected to more free gifts or likewise page links or simply make them share more confidential information.
Webcam & Microphone Activation
This particular type of clickjacking attack is triggered by invisibly loading Adobe Flash Player settings of a user’s system on another link. On clicking, the plug-in settings give attackers illegal access to the microphone and webcam of a user.
Prevention & Mitigation Techniques
There are two layers of prevention from clickjacking attacks. These are subdivided into various types. Provided below are relevant details:
1- Client-Side
- NoScript
A NoScript add-on with ClearClick feature can be added to the desktop and mobile browser version of Mozilla Firefox which prevents users from clicking redressed page elements.
- NoClickjack
This particular browser extension offers client-side protection for users of Microsoft Edge, Firefox, Google Chrome and Opera without interrupting the iFrames operations.
- GuardedID
It’s a commercial product to add client-side protection for Internet Explorer users. It comes with an add-on feature of NoClickjack that multiplies the security to Google Chrome, Mozilla Firefox, Opera and Microsoft Edge browsers.
- Gazelle
A research project helmed by Microsoft; Gazelle is to secure users of Internet Explorer from clickjacking.
- Intersection Observer V2
The concept of tracking “visibility” just as a human would perceive allows all redressed or camouflaged links to appear in their default form thus preventing users from falling victim to the trick.
2- Server-Side
- Framekiller
Website owners can protect users against frame-based clickjacking through introducing a framekiller which prevents unwanted JavaScript snippets from loading on the pages that, on happening can trigger clickjacking.
- X-Frame-Options
Back in 2009, the coming of Internet Explorer 8 offered a new HTTP header X-Frame-Options that partially protected users against clickjacking and was eventually adopted by other browsers like Safari, Google Chrome, Firefox and Opera. On activation, framing from only particular websites was allowed which prevented clickjacking attacks. In 2013, the X-Frame-Options header was officially released however not as per the Internet standards, offering only valuable information.
- Content Security Policy
Content Security Policy version 1.1 enables users to allow or disallow content embedding through frame-ancestors which protects potentially hostile pages from attacking. The frame-ancestors policy must be preferred by browsers to prevent clickjacking attacks; however, there’re still some popular browsers that deny the content policy.
Check Website’s Vulnerability with Clickjacking Test
You can even check a website’s vulnerability to clickjacking by creating an HTML page and add a sensitive page from the existing website in an iFrame. Do note that execution of the test code must be done on another web server.
Make sure your website is protected from all sorts of clickjacking and other such attacks for better customer experience.
