The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. The exploit is also known as UI redressing.
Clickjacking can be understood as an instance of the confused deputy problem.
Clickjacking is possible because seemingly harmless features of HTML Web pages can be employed to perform unexpected actions.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers show a set of dummy buttons, then load another page over it in a transparent layer. The users think that they are clicking the visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, and therefore the attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page.
- The user receives an email with a link to a video about a news item, but another valid page, say a product page on amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.
- Other known exploits have been:
- Tricking users to enable their webcam and microphone through Flash (which has since been corrected by Adobe);
- Tricking users to make their social networking profile information public;
- Making users follow someone on Twitter;
- Share links on Facebook
Mozilla Firefox has no native protection against clickjacking. Protection against clickjacking can be added by installing the NoScript add-on: its ClearClick feature, released on 8 October 2008, prevents users from clicking on invisible or "redressed" page elements of embedded documents or applets, defeating all the types of clickjacking (i.e. frame-based and plugin-based).
Microsoft's suggested solution, which has since also been implemented in Apple's Safari and Google's Chrome Web browsers, is to check for a new HTTP header, X-FRAME-OPTIONS. This header can have two values, DENY and SAMEORIGIN, which will block any framing or framing by external sites, respectively.
Both framekillers and IE8's mitigation approach, however, require Web developers to protect vulnerable pages by modifying their content or the way they are served, although, even on "protected" pages, they cannot prevent plugin-based clickjacking variants since they don't need frames. The NoScript add-on for Firefox remains the only free product providing automatic client-side protection, with no need for awareness and cooperation from the Web site authors. GuardedID (a commercial product) provides client-side clickjack protection for users of IE or Firefox without interfering with the operation of legitimate iFrames.
Gazelle is a Microsoft Research project secure web browser based on IE, that uses an OS-like security model, and has its own unique defenses against clickjacking. In Gazelle, a window of different origin may only draw dynamic content over another window's screen space if the content it draws is opaque.
Researchers Jeremiah Grossman and Robert Hansen discovered the vulnerability. Here's how they describe the issue:
Think of any button on any Web site, internal or external, that you can get to appear between the browser walls, wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users' mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to. Say you have a home wireless router that you had authenticated prior to going to a web site. The malicious coding] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules.
The issue is said to result from an integral flaw in browser software and affects Internet Explorer (IE), Firefox, Safari and Opera. In fact, only non-GUI browsers, such as Lynx, are protected, simply because there is nothing in the interface that's clickable.
In his Security Corner blog, Ken Harthun advises: "For now, everyone should immediately disable scripting and iframes in whatever browser they're using. Firefox users should install NoScript and set the [Plugins | Forbid iframe] option... I also recommend that everyone review US-CERT's article 'Securing Your Web Browser' to insure maximum protection against this and other security risks."