According to Forbes, “A clickjacking hack attack, simply explained, is one that employs various methods to get users clicking on invisible or otherwise obfuscated, as in disguised as something else, web page elements.” Such manipulation can lead to unauthorized actions, including enabling webcams, initiating malware downloads, or revealing sensitive information.
Clickjacking remains a serious cybersecurity threat, with attackers continuously refining their techniques to exploit vulnerabilities. Recent reports indicate clickjacking attacks are often used in combination with phishing scams and malware distribution. In a study by the National Vulnerability Database, several new vulnerabilities were identified in 2023 that made web applications susceptible to clickjacking. The widespread use of JavaScript frameworks and interactive web elements has made it easier for attackers to implement these deceptive tactics.
Read also: What is malware?
Clickjacking takes advantage of a website's ability to embed other web pages within an iframe, allowing attackers to layer a malicious page over a legitimate one. The victim believes they are interacting with the trusted website, but their actions are being redirected to a hidden attacker-controlled page. Unlike traditional phishing, where users are tricked into visiting a fake website, clickjacking manipulates interactions on a real website by hijacking clicks, keystrokes, and form submissions.
Attackers use a variety of coding techniques, such as modifying cascading style sheets (CSS), JavaScript, and iframe layering, to conceal their malicious intent. They may also employ cursor manipulation techniques, which deceive users into clicking unintended areas of a web page. The more advanced forms of clickjacking involve keylogging and session hijacking, where attackers capture user credentials without their knowledge.
Read more:
Clickjacking can manifest in multiple ways, each exploiting different user interactions. The most common methods include:
An invisible iframe is placed over a trusted website, causing users to unknowingly interact with a hidden, malicious page. When a victim clicks, they trigger unwanted actions without realizing it.
Certain sections of the malicious page are overlaid onto the legitimate website, allowing attackers to replace hyperlinks, change button text, or mislead users into clicking fraudulent elements.
Attackers manipulate the appearance or positioning of the cursor, making users believe they are clicking in one place while actually interacting with hidden content elsewhere.
A sophisticated attack where visible elements of a page are momentarily replaced with malicious content just as the user clicks, tricking them into performing unintended actions.
Modifying a website's CSS properties allows attackers to make legitimate buttons and links appear unresponsive. However, user interactions are still being recorded on an underlying malicious page.
To safeguard against clickjacking, organizations should implement several preventive measures:
The x-frame-options HTTP response header determines whether a browser should allow a webpage to be displayed in a frame. Setting it to "DENY" or "SAMEORIGIN" prevents external sites from embedding the page in an iframe, reducing clickjacking risks.
A content security policy (CSP) allows web developers to specify valid sources for content loading. By restricting iframe embedding, CSP helps mitigate clickjacking attacks.
A frame buster (or frame killer) is a JavaScript technique that prevents a webpage from being embedded within a frame. If a site detects that it is being framed, it redirects the browser to its top-level window, ensuring the visibility of legitimate content.
Some web browsers offer add-ons that prevent scripts from executing unauthorized HTTP requests. These tools stop malicious scripts before they can hijack user interactions.
Regular security training can help employees and users recognize suspicious behaviors, such as unexpected pop-ups or unresponsive buttons, reducing the risk of falling victim to clickjacking attacks.
Security researchers have discovered a new type of clickjacking attack called DoubleClickjacking, which tricks users into taking actions they didn’t intend by exploiting a double-click sequence. Unlike regular clickjacking, which relies on a single click, this attack takes advantage of the brief moment between two clicks to bypass security protections. An attacker might display something harmless, like a CAPTCHA, and ask the user to double-click. Meanwhile, the attacker secretly redirects the second click to approve a malicious action such as granting access to an attacker’s app without the user realizing it. Traditional security measures like X-Frame-Options and SameSite cookies cannot stop this attack. Some services, like Dropbox, have already added extra protections, but experts recommend browsers develop stronger defenses to prevent this type of exploit.
Clickjacking manipulates user interactions on a real website by overlaying hidden elements, while phishing tricks users into visiting fake websites to steal information.
Yes, mobile browsers and apps can be vulnerable, especially if they allow embedded web views or lack security measures like frame restrictions.
JavaScript enables attackers to create deceptive overlays, manipulate cursor positions, and modify website behavior to hijack user actions.
Users should immediately close the tab, clear browser cookies, and avoid clicking suspicious pop-ups or unresponsive buttons. Using browser security extensions can also help.