‘Clickjacking’, if you haven’t heard of it, is a method used by malicious individuals to trick users like you into clicking something without you knowing what you’ve clicked. It’s also known as UI-redressing and only works in browsers that support frames/CSS.

The idea is simple: An iframe is positioned above what looks like a clickable button on a website. This iframe is invisible to the user (opacity:0) and so the user unknowingly clicks on the iframe which may contain anything! This can be achieved through CSS alone, no JavaScript is required. A variation of this technique involves the use of JavaScript to move the iframe around the screen inline with the user’s cursor, therefore achieving the same thing but without having to convince the user to click on a button.

Background info

I believe the original concern was related to Flash and how a user could unknowingly enable their webcam and microphone so the attacker would have access. There are some other examples shown here: http://www.grc.com/sn/notes-168.htm.

Adobe resolved this issue in October of last year with a new release of Flash Player. Obviously this only offers protection for that particular exploit – gaining access to webcam/microphone; other more rudimentary techniques still work perfectly today.

The only solid form of protection I’ve heard of (other than disabling CSS) is the NoScript addon for Firefox. Even though clickjacking is fundamentally unrelated to JavaScript the team behind NoScript went the extra mile and developed a pretty cool way of detecting it; a module named ‘clearClick‘ which will compare a screenshot of the currently viewed page against a screenshot of the same page but with frames at full opacity. If you’re not using Firefox you could try disabling iFrames (if your browser lets you), or, alternatively, you could install a user-scripting plugin and get rid of all iframes via a script. Here are some non-Firefox GreaseMonkey emulators:

IE: Trixie or GM4IE

Safari: Creammonkey

And here’s a script you could use:

var all = document. getElementsByTagName ( 'iframe' ) , l = all. length ; while ( l -- ) all [ l ] . parentNode . removeChild ( all [ l ] ) ;

Clickjacking Twitter

THIS NO LONGER WORKS (as of ~6:45 PM, 12/Feb’09), TWITTER HAS IMPLEMENTED A FRAME-BREAKING SCRIPT » This is a good thing! 🙂

Using the basic technique of positioning an iframe over a button coupled with Twitter’s ‘status’ URL parameter I have created a small demo which shows you just how serious (and annoying) this could be!

It will only work if you’re currently logged into Twitter (and if you haven’t got any of the above measures in place):

Go to Twitter, make sure you’re logged in.

Go to this page: qd9.co.uk/temp/ClickJackEg.html

Click the button.

Wait about two seconds

Go to your Twitter page; look at your latest status!

What does this mean? It means anyone can update your Twitter status without you knowing! Actually, it’s YOU that’s updating it, you just don’t know at the time.

This is a pretty harmless example but I can imagine it being used for more sinister endeavours!

Clickjacking is a dangerous malicious technique; take it seriously! It cannot be halted with a quick browser fix here and there because the problem lies within the CSS/frame implementation itself; it’s not a software bug! If you’re fortunate enough to use Firefox then install NoScript, otherwise explore the other measures I described above.

Thanks for reading! Please share your thoughts with me on Twitter. Have a great day!