Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008. Clickjacking is an instance of the confused deputy problem, a term used to describe when a computer is innocently fooled into misusing its authority.
Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the invisible page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
A user might receive an email with a link to a video about a news item, but another webpage, say a product page on Amazon, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon. The hacker can only send a single click, so they rely on the fact that the visitor is both logged into Amazon.com and has 1-click ordering enabled.
- Other known exploits include
- Tricking users into enabling their webcam and microphone through Flash (though this has been fixed since originally reported)
- Tricking users into making their social networking profile information public
- Downloading and running a malware (malicious software) allowing to a remote attacker to take control of other people's computers
- Making users follow someone on Twitter
- Sharing or liking links on Facebook
- Getting likes on Facebook fan page or +1 on Google+
- Clicking Google AdSense ads to generate pay-per-click revenue
- Playing YouTube videos to gain views
- Following someone on Facebook
While technical implementation of these attacks may be challenging due to cross-browser incompatibilities, a number of tools such as BeEF or Metasploit Project offer almost fully automated exploitation of clients on vulnerable websites. Clickjacking may be facilitated by - or may facilitate - other web attacks, such as XSS.
Likejacking is a malicious technique of tricking users of a website into "liking" a Facebook page that they did not intentionally mean to "like". The term "likejacking" came from a comment posted by Corey Ballou in the article How to "Like" Anything on the Web (Safely), which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.
According to an article in IEEE Spectrum, a solution to likejacking was developed at one of Facebook's hackathons. A "Like" bookmarklet is available that avoids the possibility of likejacking present in the Facebook like button.
Cursorjacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at Vulnerability.fr, Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor.
- Robert McMillan (17 September 2008). "At Adobe's request, hackers nix 'clickjacking' talk". PC World. Retrieved 2008-10-08.
- Megha Dhawan (29 September 2008). "Beware, clickjackers on the prowl". India Times. Retrieved 2008-10-08.
- Dan Goodin (7 October 2008). "Net game turns PC into undercover surveillance zombie". The Register. Retrieved 2008-10-08.
- Fredrick Lane (8 October 2008). "Web Surfers Face Dangerous New Threat: 'Clickjacking'". newsfactor.com. Archived from the original on 13 October 2008. Retrieved 2008-10-08.
- Sumner Lemon (30 September 2008). "Business Center: Clickjacking Vulnerability to Be Revealed Next Month". Retrieved 2008-10-08.
- You don't know (click)jack Robert Lemos, October 2008
- JAstine, Berry. "Facebook Help Number 1-888-996-3777". Retrieved 7 June 2016.
- The Confused Deputy rides again!, Tyler Close, October 2008
- Constantin, Lucian. "Adobe to fix Flash flaw that allows webcam spying". Computerworld.
- "select element persistance allows for attacks". Retrieved 2012-10-09.
- "UI selection timeout missing on download prompts". Retrieved 2014-02-04.
- "Delay following click events in file download dialog too short on OS X". Retrieved 2016-03-08.
- Daniel Sandler (12 February 2009). "Twitter's "Don't Click" prank, explained (dsandler.org)". Retrieved 2009-12-28.
- Krzysztof Kotowicz (21 December 2009). "New Facebook clickjacking attack in the wild". Retrieved 2009-12-29.
- BBC (3 June 2010). "Facebook "clickjacking" spreads across site". BBC News. Retrieved 2010-06-03.
- Josh MacDonald. "Facebook Has No Defence Against Black Hat Marketing". Retrieved 2016-02-03.
- "Clickjacking campaign avoids click fraud, abuses Google AdSense". SC Magazine US. 10 January 2017.
- "The Clickjacking meets XSS: a state of art". Exploit DB. 2008-12-26. Retrieved 2015-03-31.
- Krzysztof Kotowicz. "Exploiting the unexploitable XSS with clickjacking". Retrieved 2015-03-31.
- Cohen, Richard (31 May 2010). "Facebook Work - "Likejacking"". Sophos. Retrieved 2010-06-05.
- Ballou, Corey (2 June 2010). ""Likejacking" Term Catches On". jqueryin.com. Archived from the original on 5 June 2010. Retrieved 2010-06-08.
- Perez, Sarah (2 June 2010). ""Likejacking" Takes Off on Facebook". ReadWriteWeb. Retrieved 2010-06-05.
- Kushner, David (June 2011). "Facebook Philosophy: Move Fast and Break Things". spectrum.ieee.org. Retrieved 2011-07-15.
- Perez, Sarah (23 April 2010). "How to "Like" Anything on the Web (Safely)". ReadWriteWeb. Retrieved 24 August 2011.
- Podlipensky, Paul. "Cursor Spoofing and Cursorjacking". Podlipensky.com. Paul Podlipensky. Retrieved 22 November 2017.
- Krzysztof Kotowicz (18 January 2012). "Cursorjacking Again". Retrieved 2012-01-31.
- Aspect Security. "Cursor-jacking attack could result in application security breaches". Retrieved 2012-01-31.
- "Mozilla Foundation Security Advisory 2014-50". Mozilla. Retrieved 17 August 2014.
- "Mozilla Foundation Security Advisory 2015-35". Mozilla. Retrieved 25 October 2015.