Clickjacking – stopping it isn’t easy!

Clickjacking refers to stealing a user click on a website to do something that the user wouldn’t intentionally do. Those who are non-technical will probably start to wonder what all this means.

Now think – Javascript. Anything can be triggered with Javascript – which isn’t good news for webmasters and those of us fighting hackers and stopping fraud. Hackers know how to trigger a user click using a Javascript event which means anything can be achieved when this is triggered. I always suggest to friends and our members to ‘disable’ javascript in their browsers. But, there is a big but….

Some additional research has found that clickjacking can work without javascript – so disabling javascript doesn’t remove the exploit opportunity. Simply put – a malicious website can make the user believe they are clicking an element (piece of code/link/banner) on the top of the front page but instead the user is clicking an element on top of a hidden page. Clever stuff indeed.

Stopping clickjacking isn’t easy. Currently there is no fix which stops a clickjacking attack. Webmasters though, can stop their website from being loaded in an iFrame* by using some simple code. The code will allow a visitor to be redirected to a website without the iFrame.

The major problem for users is the way browsers handle HTML and CSS (including the z-index property of the CSS style sheet) and specifically iFrame’s. You could use a text based browser – Lynx and/or if you use Firefox use the Firefox ‘NoScript’ extension which blocks embedded content from untrusted domains. Technical users will find setting up these features very easy indeed – non-techies though may struggle with this.

*is an HTML element which makes it possible to embed a HTML document inside another HTML document.

Safe surfing folks!

This entry was posted in browser, malware, privacy and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *