Browse Definitions:
Definition

clickjacking (user-interface or UI redressing and IFRAME overlay)

This definition is part of our Essential Guide: Want satisfaction guaranteed? Add user experience to the design process

Clickjacking (also known as user-interface or UI redressing and IFRAME overlay) is an exploit in which malicious coding is hidden beneath apparently legitimate buttons or other clickable content on a website.

Here's one example, among many possible scenarios: A visitor to a site thinks he is clicking on a button to close a window; instead, the action of clicking the “X” button prompts the computer to download a Trojan horse, transfer money from a bank account or turn on the computer’s built-in microphone or webcam. The host website may be a legitimate site that's been hacked or a spoofed version of some well-known site. The attacker tricks users into visiting the site through links online or in email messages.

Researchers Jeremiah Grossman and Robert Hansen discovered the vulnerability. Here's how they describe the issue:

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […] Say you have a home wireless router that you had authenticated prior to going to a web site. [The malicious coding] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.

The issue is said to result from an integral flaw in browser software and affects Internet Explorer (IE), Firefox, Safari and Opera. In fact, only non-GUI browsers, such as Lynx, are protected, simply because there is nothing in the interface that's clickable.

According to Hansen, there are multiple variants of clickjacking: "Some of it requires cross domain access, some doesn’t. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don’t.”

Facebook is a common venue for clickjacking, where it often takes the form of likejacking. One example involves a status update: "OMG This GUY Went A Little To Far WITH His Revenge On His EX Girlfriend." Users who click the link are presented with a fake CAPTCHA, which actually links to the Facebook "Like" and "Share" buttons. When the user responds, the bogus status update posts to his Facebook page, along with a notice that he liked the video. On Facebook, most clickjacking exploits are conducted to collect user information and disseminate spam, although phishing attacks have been reported.

In his Security Corner blog, Ken Harthun advises: "For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option... I also recommend that everyone review US-CERT’s article 'Securing Your Web Browser' to insure maximum protection against this and other security risks."

This was last updated in September 2015

Continue Reading About clickjacking (user-interface or UI redressing and IFRAME overlay)

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Security people always are harping on disable this or that. Sound good, but if you disable everything they want you to, forget about using the Internet.
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

  • cyborg anthropologist

    A cyborg anthropologist is an individual who studies the interaction between humans and technology, observing how technology can ...

  • RegTech

    RegTech, or regulatory technology, is a term used to describe technology that is used to help streamline the process of ...

  • conduct risk

    Conduct risk is the prospect of financial loss to an organization that is caused by the actions of an organization's ...

SearchSecurity

  • application whitelisting

    Application whitelisting is the practice of identifying applications that have been deemed safe for execution and restricting all...

  • security

    Security, in information technology (IT), is the defense of digital information and IT assets against internal and external, ...

  • insider threat

    An insider threat is a malicious hacker (also called a cracker or a black hat) who is an employee or officer of a business, ...

SearchHealthIT

  • HIPAA Privacy Rule

    The Standards for Privacy of Individually Identifiable Health Information, commonly known as the HIPAA Privacy Rule, establishes ...

  • HIPAA business associate agreement (BAA)

    Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is a ...

  • telemedicine

    Telemedicine is the remote delivery of healthcare services, such as health assessments or consultations, over the ...

SearchDisasterRecovery

  • data recovery

    Data recovery restores data that has been lost, accidentally deleted, corrupted or made inaccessible. Learn how data recovery ...

  • disaster recovery plan (DRP)

    A company's disaster recovery policy is enhanced with a documented DR plan that formulates strategies, and outlines preparation ...

  • fault-tolerant

    Systems with integrated fault tolerance are designed to withstand multiple hardware failures to ensure continuous availability.

SearchStorage

  • data deduplication

    Deduplication retains one unique data instance to reduce storage and bandwidth consumed by remote backups, replication and ...

  • byte

    In most computer systems, a byte is a unit of data that is eight binary digits long. Bytes are often used to represent a ...

  • Secure Digital card (SD card)

    SD cards use flash memory to provide nonvolatile storage. They are more rugged than traditional storage media and are used in ...

SearchSolidStateStorage

  • flash file system

    Flash file systems are designed specifically for memory devices. A well-designed flash device and flash file system ensure ...

  • IOPS (input/output operations per second)

    IOPS measures the maximum number of reads and writes to non-contiguous storage. It is not an actual benchmark since vendor ...

  • eMMC (embedded MultiMediaCard)

    An embedded MultiMediaCard (eMMC) is a small storage device made up of NAND flash memory and a simple storage controller.

SearchCloudStorage

  • RESTful API

    A RESTful application program interface breaks down a transaction to create a series of small modules, each of which addresses an...

  • cloud storage infrastructure

    Cloud storage infrastructure is the hardware and software framework that supports the computing requirements of a private or ...

  • Zadara VPSA and ZIOS

    Zadara Storage provides block, file or object storage with varying levels of compute and capacity through its ZIOS and VPSA ...

Close