Browse Definitions:
Definition

clickjacking (user-interface or UI redressing and IFRAME overlay)

This definition is part of our Essential Guide: Want satisfaction guaranteed? Add user experience to the design process

Clickjacking (also known as user-interface or UI redressing and IFRAME overlay) is an exploit in which malicious coding is hidden beneath apparently legitimate buttons or other clickable content on a website.

Here's one example, among many possible scenarios: A visitor to a site thinks he is clicking on a button to close a window; instead, the action of clicking the “X” button prompts the computer to download a Trojan horse, transfer money from a bank account or turn on the computer’s built-in microphone or webcam. The host website may be a legitimate site that's been hacked or a spoofed version of some well-known site. The attacker tricks users into visiting the site through links online or in email messages.

Researchers Jeremiah Grossman and Robert Hansen discovered the vulnerability. Here's how they describe the issue:

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […] Say you have a home wireless router that you had authenticated prior to going to a web site. [The malicious coding] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.

The issue is said to result from an integral flaw in browser software and affects Internet Explorer (IE), Firefox, Safari and Opera. In fact, only non-GUI browsers, such as Lynx, are protected, simply because there is nothing in the interface that's clickable.

According to Hansen, there are multiple variants of clickjacking: "Some of it requires cross domain access, some doesn’t. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don’t.”

Facebook is a common venue for clickjacking, where it often takes the form of likejacking. One example involves a status update: "OMG This GUY Went A Little To Far WITH His Revenge On His EX Girlfriend." Users who click the link are presented with a fake CAPTCHA, which actually links to the Facebook "Like" and "Share" buttons. When the user responds, the bogus status update posts to his Facebook page, along with a notice that he liked the video. On Facebook, most clickjacking exploits are conducted to collect user information and disseminate spam, although phishing attacks have been reported.

In his Security Corner blog, Ken Harthun advises: "For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option... I also recommend that everyone review US-CERT’s article 'Securing Your Web Browser' to insure maximum protection against this and other security risks."

This was last updated in September 2015

Continue Reading About clickjacking (user-interface or UI redressing and IFRAME overlay)

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Security people always are harping on disable this or that. Sound good, but if you disable everything they want you to, forget about using the Internet.
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCompliance

SearchSecurity

  • password

    A password is an unspaced sequence of characters used to determine that a computer user requesting access to a computer system is...

  • adware

    Adware is any software application in which advertising banners are displayed while a program is running.

  • botnet

    A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things ...

SearchHealthIT

SearchDisasterRecovery

  • call tree

    A call tree -- sometimes referred to as a phone tree -- is a telecommunications chain for notifying specific individuals of an ...

  • mass notification system (MNS)

    A mass notification system is a platform that sends one-way messages to inform employees and the public of an emergency.

  • disaster recovery as a service (DRaaS)

    One approach to a strong disaster recovery plan is DRaaS, where companies offload data replication and restoration ...

SearchStorage

  • compact disc (CD)

    A compact disc is a portable storage medium that can be used for recording, storing and playing back audio, video and other data ...

  • secondary storage

    Secondary storage is used to protect inactive data written from a primary storage array to a nonvolatile tier of disk, flash or ...

  • VRAM (video ram)

    VRAM (video RAM) is a reference to any type of random access memory (RAM) used to store image data for a computer display.

SearchSolidStateStorage

  • SSD RAID (solid-state drive RAID)

    SSD RAID (solid-state drive RAID) is a methodology commonly used to protect data by distributing redundant data blocks across ...

  • Tier 0

    Tier 0 (tier zero) is a level of data storage that is faster, and perhaps more expensive, than any other level in the storage ...

  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

SearchCloudStorage

  • RESTful API

    A RESTful application program interface breaks down a transaction to create a series of small modules, each of which addresses an...

  • cloud storage infrastructure

    Cloud storage infrastructure is the hardware and software framework that supports the computing requirements of a private or ...

  • Zadara VPSA and ZIOS

    Zadara Storage provides block, file or object storage with varying levels of compute and capacity through its ZIOS and VPSA ...

Close