Browse Definitions :
Definition

clickjacking (user-interface or UI redressing and IFRAME overlay)

Clickjacking (also known as user-interface or UI redressing and IFRAME overlay) is an exploit in which malicious coding is hidden beneath apparently legitimate buttons or other clickable content on a website.

Here's one example, among many possible scenarios: A visitor to a site thinks he is clicking on a button to close a window; instead, the action of clicking the “X” button prompts the computer to download a Trojan horse, transfer money from a bank account or turn on the computer’s built-in microphone or webcam. The host website may be a legitimate site that's been hacked or a spoofed version of some well-known site. The attacker tricks users into visiting the site through links online or in email messages.

Researchers Jeremiah Grossman and Robert Hansen discovered the vulnerability. Here's how they describe the issue:

Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. […] Say you have a home wireless router that you had authenticated prior to going to a web site. [The malicious coding] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.

The issue is said to result from an integral flaw in browser software and affects Internet Explorer (IE), Firefox, Safari and Opera. In fact, only non-GUI browsers, such as Lynx, are protected, simply because there is nothing in the interface that's clickable.

According to Hansen, there are multiple variants of clickjacking: "Some of it requires cross domain access, some doesn’t. Some overlay entire pages over a page, some use iframes to get you to click on one spot. Some require JavaScript, some don’t.”

Facebook is a common venue for clickjacking, where it often takes the form of likejacking. One example involves a status update: "OMG This GUY Went A Little To Far WITH His Revenge On His EX Girlfriend." Users who click the link are presented with a fake CAPTCHA, which actually links to the Facebook "Like" and "Share" buttons. When the user responds, the bogus status update posts to his Facebook page, along with a notice that he liked the video. On Facebook, most clickjacking exploits are conducted to collect user information and disseminate spam, although phishing attacks have been reported.

In his Security Corner blog, Ken Harthun advises: "For now, everyone should immediately disable scripting and iframes in whatever browser they’re using. Firefox users should install NoScript and set the “Plugins | Forbid iframe” option... I also recommend that everyone review US-CERT’s article 'Securing Your Web Browser' to insure maximum protection against this and other security risks."

This was last updated in September 2015

Continue Reading About clickjacking (user-interface or UI redressing and IFRAME overlay)

SearchCompliance
  • OPSEC (operations security)

    OPSEC (operations security) is a security and risk management process and strategy that classifies information, then determines ...

  • smart contract

    A smart contract is a decentralized application that executes business logic in response to events.

  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

SearchSecurity
  • DOS (disk operating system)

    A DOS, or disk operating system, is an operating system that runs from a disk drive. The term can also refer to a particular ...

  • private key

    A private key, also known as a secret key, is a variable in cryptography that is used with an algorithm to encrypt and decrypt ...

  • security token

    A security token is a physical or digital device that provides two-factor authentication for a user to prove their identity in a ...

SearchHealthIT
SearchDisasterRecovery
  • What is risk mitigation?

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • change control

    Change control is a systematic approach to managing all changes made to a product or system.

  • disaster recovery (DR)

    Disaster recovery (DR) is an organization's ability to respond to and recover from an event that affects business operations.

SearchStorage
  • What is RAID 6?

    RAID 6, also known as double-parity RAID, uses two parity stripes on each disk. It allows for two disk failures within the RAID ...

  • PCIe SSD (PCIe solid-state drive)

    A PCIe SSD (PCIe solid-state drive) is a high-speed expansion card that attaches a computer to its peripherals.

  • VRAM (video RAM)

    VRAM (video RAM) refers to any type of random access memory (RAM) specifically used to store image data for a computer display.

Close