Protecting Your Users Against Clickjacking

Clickjacking attacks trick web users into performing an action they did not intend, typically by rendering an invisible page element on top of the action the user thinks they are performing.

Clickjacking won’t affect your site directly, but it could potentially affect your users. And only you can protect them!

Risks

Prevalence
Occasional
Rating prevelance on Rating prevelance on Rating prevelance on
Exploitability
Easy
Rating exploitability on Rating exploitability on Rating exploitability on
Impact
Harmful
Rating impact on Rating impact on Rating impact on

What could a determined hacker do with a clickjacking attack?

Our example hack tricked the user into “Liking” an item on Facebook. Clickjacking has also been used in the past to:

  • Harvest login credentials, by rendering a fake login box on top of the real one.
  • Trick users into turning on their web-cam or microphone, by rendering invisible elements over the Adobe Flash settings page.
  • Spread worms on social media sites like Twitter and MySpace.
  • Promote online scams by tricking people into clicking on things they otherwise would not.
  • Spread malware by diverting users to malicious download links.