Clickjacking (classified as a user interface redress attack or UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing

confidential Confidentiality involves a set of rules or a promise usually executed through confidentiality agreements that limits the access or places restrictions on certain types of information. Legal confidentiality By law, lawyers are often required ...

information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. Clickjacking is an instance of the

confused deputy problem In information security, a confused deputy is a computer program that is tricked by another program (with fewer privileges or less rights) into misusing its authority on the system. It is a specific type of privilege escalation. The confused deput ...

, wherein a computer is tricked into misusing its authority.The Confused Deputy rides again!
Tyler Close, October 2008

History

In 2002, it had been noted that it was possible to load a transparent layer over a web page and have the user's input affect the transparent layer without the user noticing. However, this was mainly ignored as a major issue until 2008.'''' In 2008, Jeremiah Grossman and Robert Hansen had discovered that

Adobe Flash Player Adobe Flash Player (known in Internet Explorer, Firefox, and Google Chrome as Shockwave Flash) is computer software for viewing multimedia contents, executing rich Internet applications, and streaming audio and video content created on the ...

was able to be clickjacked, allowing an

attacker In some team sports, an attacker is a specific type of player, usually involved in aggressive play. Heavy attackers are, usually, placed up front: their goal is to score the most possible points for the team. In association football, attackers a ...

to gain access of the computer without the user's knowledge.'''' The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen,You don't know (click)jack
Robert Lemos, October 2008 a

portmanteau A portmanteau word, or portmanteau (, ) is a blend of words'' As more attacks of a similar nature were discovered, the focus of the term "UI redressing" was changed to describe the category of these attacks, rather than just clickjacking itself.

Description

One form of clickjacking takes advantage of vulnerabilities that are present in applications or web pages to allow the attacker to manipulate the user's computer for their own advantage. For example, a clickjacked page tricks a user into performing undesired actions by clicking on concealed links. On a clickjacked page, the attackers load another page over the original page in a transparent layer to trick the user into taking actions, the outcomes of which will not be the same as the user expects. The unsuspecting users think that they are clicking visible buttons, while they are actually performing actions on the invisible page, clicking buttons of the page below the layer. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

Clickjacking categories

* ''Classic:'' works mostly through a

web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used o ...

* ''Likejacking:'' utilizes Facebook's social media capabilities * ''Nested:'' clickjacking tailored to affect

Google+ Google+ (pronounced and sometimes written as Google Plus; sometimes called G+) was a social network owned and operated by Google. The network was launched on June 28, 2011, in an attempt to challenge other social networks, linking other Google p ...

* ''Cursorjacking:'' manipulates the cursor's appearance and location * ''MouseJacking'': inject keyboard or mouse input via remote RF link * ''Browserless:'' does not use a browser * '' Cookiejacking:'' acquires cookies from browsers * ''Filejacking:'' capable of setting up the affected device as a file server * ''Password manager attack:'' clickjacking that utilizes a vulnerability in the autofill capability of browsers''''

Classic

Classic clickjacking refers to a situation when an

uses hidden layers on web pages to manipulate the actions a user's cursor does, resulting in misleading the user about what truly is being clicked on. A user might receive an email with a link to a video about a news item, but another webpage, say a product page on

Amazon Amazon most often refers to: * Amazons, a tribe of female warriors in Greek mythology * Amazon rainforest, a rainforest covering most of the Amazon basin * Amazon River, in South America * Amazon (company), an American multinational technolog ...

, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon. The hacker can only send a single click, so they rely on the fact that the visitor is both logged into

Amazon.com Amazon.com, Inc. ( ) is an American multinational technology company focusing on e-commerce, cloud computing, online advertising, digital streaming, and artificial intelligence. It has been referred to as "one of the most influential econo ...

and has 1-click ordering enabled. While technical implementation of these attacks may be challenging due to cross-browser incompatibilities, a number of tools such as BeEF or

Metasploit Project The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. I ...

offer almost fully automated exploitation of clients on vulnerable websites. Clickjacking may be facilitated by - or may facilitate - other web attacks, such as XSS.

Likejacking

Likejacking is a malicious technique of tricking users viewing a website into " liking" a

Facebook Facebook is an online social media and social networking service owned by American company Meta Platforms. Founded in 2004 by Mark Zuckerberg with fellow Harvard College students and roommates Eduardo Saverin, Andrew McCollum, Dustin Mosk ...

page or other

social media Social media are interactive media technologies that facilitate the creation and sharing of information, ideas, interests, and other forms of expression through virtual communities and networks. While challenges to the definition of ''social medi ...

posts/accounts that they did not intentionally mean to "like". The term "likejacking" came from a comment posted by Corey Ballou in the article ''How to "Like" Anything on the Web (Safely)'', which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button. According to an article in ''

IEEE Spectrum ''IEEE Spectrum'' is a magazine edited by the Institute of Electrical and Electronics Engineers. The first issue of ''IEEE Spectrum'' was published in January 1964 as a successor to ''Electrical Engineering''. The magazine contains peer-reviewe ...

'', a solution to likejacking was developed at one of Facebook's hackathons. A "Like"

bookmarklet A bookmarklet is a bookmark stored in a web browser that contains JavaScript commands that add new features to the browser. They are stored as the URL of a bookmark in a web browser or as a hyperlink on a web page. Bookmarklets are usually smal ...

is available that avoids the possibility of likejacking present in the

Facebook like button The like button on the social networking website Facebook was first enabled on February 9, 2009. The like button enables users to easily interact with status updates, comments, photos and videos, links shared by friends, and advertisements. Onc ...

Nested

Nested clickjacking, compared to classic clickjacking, works by embedding a malicious web frame between two frames of the original, harmless web page: that from the framed page and that which is displayed on the top window. This works due to a vulnerability in the HTTP header X-Frame-Options, in which, when this element has the value SAMEORIGIN, the

only checks the two aforementioned layers. The fact that additional frames can be added in between these two while remaining undetected means that

attackers is a Japanese adult video (AV) production company located in Tokyo, Japan. History Attackers started as an independent ("indie") studio but is now one of the companies that make up the large AV group, the Hokuto Corporation, which distributes A ...

can use this for their benefit. In the past, with

and the faulty version of X-Frame-Options,

were able to insert frames of their choice by using the vulnerability present in Google's Image Search engine. In between the image display frames, which were present in Google+ as well, these attacker-controlled frames were able to load and not be restricted, allowing for the

to mislead whoever came upon the image display page.

Cursorjacking

CursorJacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at Vulnerability.fr, Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor. Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a CursorJacking vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox on Mac OS X systems (fixed in Firefox 30.0) which can lead to arbitrary code execution and webcam spying. A second CursorJacking vulnerability was again discovered by Jordi Chancel in Mozilla Firefox on Mac OS X systems (fixed in Firefox 37.0) using once again Flash, HTML and JavaScript code which can also lead to spying via a webcam and the execution of a malicious addon, allowing the execution of malware on the affected user's computer.

MouseJack

Different from other clickjacking techniques that redress a UI, MouseJack is a wireless hardware-based UI vulnerability first reported by Marc Newlin of Bastille.net in 2016 which allows external keyboard input to be injected into vulnerable dongles. Logitech supplied firmware patches but other manufacturers failed to respond to this vulnerability.

Browserless

In Browserless clickjacking,

utilize vulnerabilities in programs to replicate classic clickjacking in them, without being required to use the presence of a web browser. This method of clickjacking is mainly prevalent among mobile devices, usually on Android devices, especially due to the way in which toast notifications work. Because toast notifications have a small delay in between the moment the notification is requested and the moment the notification actually displays on-screen,

are capable of using that gap to create a dummy button that lies hidden underneath the notification and can still be clicked on.

CookieJacking

CookieJacking is a form of clickjacking in which cookies are stolen from the victim's

s. This is done by tricking the user into dragging an object which seemingly appears harmless, but is in fact making the user select the entire content of the cookie being targeted. From there, the attacker can acquire the cookie and all of the data that it possesses.

FileJacking

In fileJacking, attackers use the web browser's capability to navigate through the computer and access computer files in order to acquire personal data. It does so by tricking the user into establishing an active file server (through the file and folder selection window that browsers use). With this, attackers can now access and take files from their victims' computers.

Password manager attack

A 2014 paper from researcher at the Carnegie Mellon University found that while browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some

password manager A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Pas ...

s would insecurely fill in passwords for the http version of https-saved passwords. Most managers did not protect against iFrame- and redirection-based attacks and exposed additional passwords where password synchronization had been used between multiple devices.

Prevention

Client-side

NoScript

Protection against clickjacking (including likejacking) can be added to Mozilla Firefox desktop and mobile versions by installing the

NoScript NoScript (or NoScript Security Suite) is a free software extension for Mozilla Firefox, SeaMonkey, other Mozilla-based web browsers and Google Chrome, written and maintained by Giorgio Maone, an Italian software developer and member of the Mozi ...

add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets. According to Google's "Browser Security Handbook" from 2008, NoScript's ClearClick is a "freely available product that offers a reasonable degree of protection" against Clickjacking. Protection from the newer cursorjacking attack was added to NoScript 2.2.8 RC1.

NoClickjack

The "NoClickjack" web browser add-on ( browser extension) adds client-side clickjack protection for users of Google Chrome, Mozilla Firefox,

Opera Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libr ...

and

Microsoft Edge Microsoft Edge is a proprietary, cross-platform web browser created by Microsoft. It was first released in 2015 as part of Windows 10 and Xbox One and later ported to other platforms as a fork of Google's Chromium open-source project: Android ...

without interfering with the operation of legitimate iFrames. NoClickjack is based on technology developed for GuardedID. The NoClickjack add-on is free of charge.

GuardedID

GuardedID (a commercial product) includes client-side clickjack protection for users of Internet Explorer without interfering with the operation of legitimate iFrames. GuardedID clickjack protection forces all frames to become visible. GuardedID teams with the add-on NoClickjack to add protection for Google Chrome, Mozilla Firefox,

and

Gazelle

Gazelle A gazelle is one of many antelope species in the genus ''Gazella'' . This article also deals with the seven species included in two further genera, '' Eudorcas'' and '' Nanger'', which were formerly considered subgenera of ''Gazella''. A third ...

is a Microsoft Research project secure web browser based on IE, that uses an OS-like security model, and has its own limited defenses against clickjacking. In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.

Intersection Observer v2

The Intersection Observer v2 API introduces the concept of tracking the actual "visibility" of a target element as a human being would define it. This allows a framed widget to detect when it's being covered. The feature is enabled by default since Google Chrome 74, released in April 2019. Chrome is the only browser to implement the API at this time.

Server-side

Framekiller

Web site owners can protect their users against UI redressing (frame based clickjacking) on the server side by including a framekiller JavaScript snippet in those pages they do not want to be included inside frames from different sources. Such JavaScript-based protection is not always reliable. This is especially true on Internet Explorer, where this kind of countermeasure can be circumvented "by design" by including the targeted page inside an