Browse Definitions:
Definition

clickjacking (user-interface or UI redressing and IFRAME overlay)

This definition is part of our Essential Guide: Want satisfaction guaranteed? Add user experience to the design process

Clickjacking (also known as user-interface or UI redressing and IFRAME overlay) is an exploit in which malicious coding is hidden beneath apparently legitimate buttons or other clickable content on a website.

Here's one example, among many possible scenarios: A visitor to a site thinks he is clicking on a button to close a window; instead, the action of clicking the “X” button prompts the computer to download a Trojan horse, transfer money from a bank account or turn on the computer’s built-in microphone or webcam. The host website may be a legitimate site that's been hacked or a spoofed version of some well-known site. The attacker tricks users into visiting the site through links online or in email messages.

Researchers Jeremiah Grossman and Robert Hansen discovered the vulnerability. Here's how they describe the issue:

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […] Say you have a home wireless router that you had authenticated prior to going to a web site. [The malicious coding] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.

The issue is said to result from an integral flaw in browser software and affects Internet Explorer (IE), Firefox, Safari and Opera. In fact, only non-GUI browsers, such as Lynx, are protected, simply because there is nothing in the interface that's clickable.

According to Hansen, there are multiple variants of clickjacking: "Some of it requires cross domain access, some doesn’t. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don’t.”

Facebook is a common venue for clickjacking, where it often takes the form of likejacking. One example involves a status update: "OMG This GUY Went A Little To Far WITH His Revenge On His EX Girlfriend." Users who click the link are presented with a fake CAPTCHA, which actually links to the Facebook "Like" and "Share" buttons. When the user responds, the bogus status update posts to his Facebook page, along with a notice that he liked the video. On Facebook, most clickjacking exploits are conducted to collect user information and disseminate spam, although phishing attacks have been reported.

In his Security Corner blog, Ken Harthun advises: "For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option... I also recommend that everyone review US-CERT’s article 'Securing Your Web Browser' to insure maximum protection against this and other security risks."

This was last updated in September 2015

Continue Reading About clickjacking (user-interface or UI redressing and IFRAME overlay)

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Security people always are harping on disable this or that. Sound good, but if you disable everything they want you to, forget about using the Internet.
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • PCAOB (Public Company Accounting Oversight Board)

    The Public Company Accounting Oversight Board (PCAOB) is a Congressionally-established nonprofit that assesses audits of public ...

  • cyborg anthropologist

    A cyborg anthropologist is an individual who studies the interaction between humans and technology, observing how technology can ...

  • RegTech

    RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of ...

SearchSecurity

  • Advanced Encryption Standard (AES)

    The Advanced Encryption Standard, or AES, is a symmetric block cipher used by the U.S. government to protect classified ...

  • identity theft

    Identity theft, also known as identity fraud, is a crime in which an imposter obtains key pieces of personally identifiable ...

  • spear phishing

    Spear phishing is an email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to ...

SearchHealthIT

SearchDisasterRecovery

  • call tree

    A call tree -- sometimes referred to as a phone tree -- is a telecommunications chain for notifying specific individuals of an ...

  • mass notification system (MNS)

    A mass notification system is a platform that sends one-way messages to inform employees and the public of an emergency.

  • disaster recovery as a service (DRaaS)

    One approach to a strong disaster recovery plan is DRaaS, where companies offload data replication and restoration ...

SearchStorage

  • ZFS

    ZFS is a local file system and logical volume manager created by Sun Microsystems to control the placement, storage and retrieval...

  • CIFS (Common Internet File System)

    CIFS (Common Internet File System) is a protocol that gained popularity around the year 2000, as vendors worked to establish an ...

  • GlusterFS (Gluster File System)

    GlusterFS (Gluster File System) is an open source distributed file system that can scale out in building-block fashion to store ...

SearchSolidStateStorage

  • Tier 0

    Tier 0 (tier zero) is a level of data storage that is faster, and perhaps more expensive, than any other level in the storage ...

  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

  • SSD caching

    SSD caching, also known as flash caching, is the temporary storage of data on NAND flash memory chips in a solid-state drive so ...

SearchCloudStorage

  • RESTful API

    A RESTful application program interface breaks down a transaction to create a series of small modules, each of which addresses an...

  • cloud storage infrastructure

    Cloud storage infrastructure is the hardware and software framework that supports the computing requirements of a private or ...

  • Zadara VPSA and ZIOS

    Zadara Storage provides block, file or object storage with varying levels of compute and capacity through its ZIOS and VPSA ...

Close