File Under: Web Basics

A Look at the ‘Clickjacking’ Web Attack and Why You Should Worry

noscript logoThere’s a nasty new security threat making waves on the web. Actually, clickjacking, as this attack is known, isn’t entirely new, but because no one has yet come up with an effective solution, it remains a serious threat. And clickjacking is the worst sort of security risk — it’s transparent to the unwitting user, simple to implement and difficult to stop.

The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.

To complicate matters, clickjacking is also a really cool, potentially effective user design tool. For an example of a benign case of clickjacking, consider the NoScript website, which uses the technique for positive ends.

NoScript is a Firefox plugin that stops JavaScript from running in your browser. The plugin is available through the Firefox add-ons site or through developer Giorgio Maone’s dedicated site. Now, as Firefox users know, when you try to load an add-on through a third-party site, the browser will block the attempt and show you a warning.

In the case of Maone’s site, it means an extra step is required for users to install the NoScript plugin. So Maone simply loads the Firefox add-on page in an iFrame, sets the content of the iFrame to visible:0 and then positions the frame over his own download button. The result is that while the user thinks they are clicking the download button on the current page, they are in fact clicking the download button from the Firefox add-ons page.

Because the Firefox add-ons page is a trusted source, Firefox doesn’t block the download, and users are able to get the plugin installed in a single click. While you could argue that this is still somewhat sneaky, it does make for a better UI experience on Maone’s site.

However, it isn’t hard to see how this could be used for much more nefarious ends. And it’s worth pointing out that an iFrame isn’t the only means of attack, clickjacking can work by loading Flash files, Silverlight, Java and more. To make matters worse, using JavaScript, an attacker could make the invisible target constantly follow the mouse pointer, intercepting a user’s first click no matter where it happens on the current page.

Developer Mark Pilgrim, who has been blogging over at the WHATWG blog, recently posted about clickjacking and outlines a number of possible solutions, none of which is ideal. One option would be to add a cross-domain permissions setup similar to what Flash uses, but even that model has problems. As Pilgrim writes:

This last approach moves us down a slippery slope towards site security policies for IFRAMEs and embedded content, similar to the Flash security model that allows trusted sites to access cross-domain resources. In practice, Flash crossdomain.xml files have a number of problems, and such an approach would still only cover a fraction of the possible use cases.

In the end, there doesn’t appear to be a an easy, or even complete, solution to the issue. As we typically point out when it comes to injection threats, using Firefox with NoScript is one of the best solutions (though in this case, even that isn’t 100 percent). For those using other browsers, Maone recently posted some suggestions for protecting against clickjacking, but unfortunately the usability consequences are pretty severe.

It will require some changes on the part of browser manufacturers to defeat clickjacking, but so far there’s no consensus on how to solve the problem. We’ll be sure to keep you posted.

See Also: