What is Clickjacking?
Wednesday, December 10th, 2008Since the exposure of Clickjaking in September, a lot of effort has gone into working out the implications and potential solutions to this problem. There is a great deal of information now available about the problem which was first described at http://ha.ckers.org/ You can follow the technical discussions there or through a search.
This article is not about the technical how and why of Clickjacking, but I will offer a short definition. Clickjacking is the execution of hidden code on a web page such that a user executes some action without being aware of it. JavaScript is one way that this can be achieved. To see an example of how this works without Clickjacking take a look at the example on this page: http://www.pages.org/javascript/email_button.html It contains a very normal button to open up your Email and send a message. This is common on many web sites.
Now consider the effect if that button was invisible and placed above a screen that looked ’safe’. It could be placed as a transparent layer so that anywhere you clicked on a screen would activate any piece of JavaScript without your knowledge. That’s Clickjacking. Clickjacking can be as simple as when a web page contains a transparent button that executes a download from another site. In this case the user will be unaware that the software download does not reside on the site they are visiting. This may be well intended, such as simplifying a set of tasks that would otherwise involve many more steps. However, the fact that the user is unaware of the process allows for more sophisticated diversions that can compromise security by redirecting or skimming data.
So what can you do Cliackjacking? The major vendors are aware of the risk and the industry is working on patches. The status at present appears to be that the issue is so complex and fundamental to web browser functionality that a solution is some time off. Which raises the question of what to do in the meantime? Faced with this, I have come to the conclusion that there are two reasonable defensive actions 1) only use Firefox (http://www.mozilla-europe.org/en/firefox/) with the NoScript plugin installed ( http://noscript.net/). 2) be extra vigilant in observing browser sessions particularly where personal data and passwords are involved. As always, as a minimum, make sure you are confident in the sites you visit.
These two steps do not eliminate the risk. What they do is reduce the risk.