Protecting Your Users Against Clickjacking

Clickjacking attacks trick web users into performing an action they did not intend, typically by rendering an invisible page element on top of the action the user thinks they are performing.

Clickjacking won’t affect your site directly, but it could potentially affect your users. And only you can protect them!

Risks

Prevalence
Occasional
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability
Easy
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact
Harmful
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

What could a determined hacker do with a clickjacking attack?

Our example hack tricked the user into “Liking” an item on Facebook. Clickjacking has also been used in the past to:

  • Harvest login credentials, by rendering a fake login box on top of the real one.
  • Trick users into turning on their web-cam or microphone, by rendering invisible elements over the Adobe Flash settings page.
  • Spread worms on social media sites like Twitter and MySpace.
  • Promote online scams by tricking people into clicking on things they otherwise would not.
  • Spread malware by diverting users to malicious download links.