What is Clickjacking?
Clickjacking is a malicious software form that can seemingly take control of the links that an Internet browser displays for various Web pages. Once that takes place, and once a user tries to lick on that link, the user is taken to a site that is unintended. In some cases, the user may be able to recognize this immediately; in other cases, the user may be totally unaware of what took place. Clickjacking occurs when a malicious program is embedded into a Web site. This program hovers under the user’s mouse, according to Jeremiah Grossman, a security researcher dealing with Internet issues. Once the user clicks, usually on a link but it can be anywhere on the page, a new Web site may appear or software may be downloaded and clickjacking has occurred. The possibilities for how clickjacking software could be abused are endless. There are a number of things that have major Web sites and companies especially alarmed. First is the fact the program can run on virtually any Web site without the
Clickjacking (also known as user-interface or UI redressing and IFRAME overlay) is an exploit in which malicious coding is hidden beneath apparently legitimate buttons or other clickable content on a website. Here’s one example, among many possible scenarios: A visitor to a site thinks he is clicking on a button to close a window; instead, the action of clicking the “X” button prompts the computer to download a Trojan horse, transfer money from a bank account or turn on the computer’s built-in microphone. The host website may be a legitimate site that’s been hacked or a spoofed version of some well-known site. The attacker tricks users into visiting the site through links online or in email messages. Researchers Jeremiah Grossman and Robert Hansen discovered the vulnerability. Here’s how they describe the issue:Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners,
How does it work? Grossman: Think of any button — image, link, form, etc. — on any website, internal or external, that you can get to appear between the Web browser walls. This includes wire transfer on banks, DSL router buttons, Digg buttons, CPC advertising banners, and Netflix queues. Next consider that an attacker can invisibly hover these buttons below the user’s mouse, so that when a user clicks on something they visually see, they’re actually clicking on something the attacker wants them to. Now, what could the bad guy do with that ability? The potential is limitless. The more we researched, the worse the exploits became. Several different flaws exposed themselves, making a once underestimated attack technique extremely scary. Is this a problem that you and Robert discovered? Or has it been known before this? How did you come to focus on this issue? Grossman: Robert and I discovered the clickjacking attack technique for ourselves around a year and a half ago. Recently we’ve be
