Clickjacking, sometimes referred to as UI redress attack, is a malicious computer attack technique. It allows a malicious website operator to gain control over the actions of a user when they visit the malicious website. An attacker uses several transparent or opaque layers to trick the user into clicking on a hidden link, button, or webpage element. Victims are unaware that they are clicking on a malicious webpage element and unknowingly enter information on the malicious website.
The clickjacking technique has been used for several malicious activities such as stealing sensitive information through disguised forms, downloading malware, or directing traffic to other malicious websites. It can also be used to deceive users into clicking on button which they would not normally click on, such as the “like” button or an advertisement.
The attack starts with an attacker manipulating a victim’s browser into framing an invisible element of the malicious website over a legitimate website’s interface. When the victim clicks on the visible element on the legitimate website, instead of performing the desired action, the malicious website operator has control of the hidden element that was framed. For example, when clicking a “like” button, the underlying website code could cause the user to enter their username and password without their knowledge.
The impact of clickjacking can range from privacy violations to severe security breaches, including remote control of computers. To prevent the attack, secure websites should adopt measures such as sandboxing iframes, explicit authorization for interactions with website elements, click tracking, and identifying the origin of the clicks.
