Clickjacking: Just One Click Could Prove Disastrous!

Everyone is probably convinced, from their own experience, that the Internet isn't really safe. It is wide open for browsers to get hijacked through the use of various exploit attacks on vulnerabilities. One of the web-based vulnerabilities affecting browsers such as Mozilla Firefox, Internet Explorer, Google Chrome and Opera, is called the Clickjacking vulnerability. Some of the files of Internet Explorer 6 may include but are not limited to the following: kerbtray.exe, kix32.exe, MSChat25.exe, NM21.EX, mspwlupd.exe, and dx5eng.exe. Although many of you have heard or read about it before, let me once again remind you of what Clickjacking is and how it influences online security.

Also known as user-interface or UI redressing and IFrame overlay, Clickjacking is not a new vulnerability. Presently it is one of the more interesting web-based attacks against web users. The following paragraphs of this article, describe what features Clickjacking has and how it works. Even though the attack does not prevail against a few techniques, the removal of the exploit will be reviewed at the end of this article.

The main description of Clickjacking is that it is a malicious technique of tricking web users into barely or momentarily clicking on something noticeable. That is, Clickjacking tricks web users into clicking on something they didn't wish to, probably on something they are not even able to see. These include legitimate looking buttons and links or other clickable content on the website. It is a threat to users' browsers, computers, and networks.

Clickjacking allows the attacker to take control of the user's clicks and use them against him/her. The attack takes the form of embedded code or script. It can be executed without the user's knowledge, for instance, clicking on a button that seems to perform another function.

The exploit could begin through the use of social engineering or malware infecting tactics, in order to infiltrate the users system and adjust the user's computer settings to malevolently send the user to web sites that may be infected. Advantage of the Adobe Flash or JavaScript vulnerabilities can also be taken, where the attacker could place a button or link, under or over, the legitimate content. This makes it very difficult for users to detect anything.

On a clickjacked page, attackers display a set of fake buttons that come in the form of a transparent layer. The attacker invisibly floats these buttons on-top of innocuous looking buttons. Users are tricked into thinking they are clicking on the visible buttons, but actually they are clicking on the invisible buttons and performing unknown actions on a hidden page. Fortunately for the attackers, there is no way of tracing such actions because the user is genuinely authenticated on the other page.

At present, Mozilla Firefox and Google Chrome browsers haven't got any mechanism to prevent Clickjacking. But interestingly, Internet Explorer, a browser considered by many users to be less secure than the competitors, is not susceptible to this kind of attack. In order to protect browsers against Clickjacking the NoScript add-on should be installed. Its ClearClick feature prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets. It functions by tackling all types of Clickjacking tactics, for instance, frame-based and plugin-based. Looking on the server side, web site owners can protect their users against UI Redressing (frame-based Clickjacking), by building a Framekiller JavaScript snippet in the pages they do not want included inside frames of different sources.

A step-by-step demonstration on how a malicious code can be executed by using IFrame related attacks is introduced below: