What exactly is clickjacking and how do I protect myself from it?
This question was answered on June 4, 2010. Much of the information contained herein may have changed since posting.
Clickjacking is a malicious web coding technique that presents visitors with buttons or items to click that actually do something different than what is being presented (click + hijacking).
There is literally an invisible layer of code that determines what will actually happen when you click on the visible buttons that are generally represented as common ‘submit’, ‘click here’ or even ‘Cancel’ buttons.
Essentially, a clickjacking page tricks a user into performing undesired actions by clicking on a concealed link.
There are two technical ways for malicious sites to trick you via a clickjacking exploit.
Clickjacking is not an operating system specific exploit, but a browser-based attack so it impacts Windows, Mac and Linux users the same.
The best tool for protecting yourself from rogue scripts is called NoScript ( http://noscript.net/getit ) and is a free add-in for Mozilla’s Firefox browser (not available for Internet Explorer or Google’s Chrome browser as of yet).
NoScript is a tool that basically stops all scripts from running until you say it’s OK to run them, so in the early stages of installing this tool, you will have to approve the running of scripts on every website that you visit in order to make full use of each site.
For instance, the first time you go to your bank’s website, you would click on the “Options” button in the NoScript toolbar that will appear at the bottom and then select Allow “banksite.com” to tell the program that it is OK to run scripts from this site from now on.
If you visit a site that you are not sure about, you can tell NoScript to temporarily allow scripts to run, which means that the next time you visit this particular site, the scripts will still be blocked.
Over time, you will have a customized NoScript filter based on the setting for each site that you regularly visit so it becomes more transparent.
If you decide to use this tool, YOU’LL HAVE TO REMEMBER THAT CERTAIN PARTS OF ANY GIVEN WEBSITE MAY NOT WORK PROPERLY until you tell NoScripts to allow them, because the scripts that normally run in the background will be blocked.
The other exploit involving clickjacking has to do with Adobe’s Flash Player software that is used to deliver animation and video on millions of sites It’s possible for a malware author to create a Flash game that prompts you to click on items as they appear on the screen, but in the background you are authorizing the remote system to access your webcam and microphone!
There are two ways to avoid being victimized by this exploit The first is to make sure you have the latest version of Adobe’s Flash Player by going directly to Adobe’s site and manually downloading it: http://get.adobe.com/flashplayer .
The second is to make sure that you tell the Flash Player to Always Deny access to your webcam & microphone by any of the websites that you visit This can be setup by going to the online Global Privacy Settings panel located here: http://bit.ly/dsQsBp (& remember, if you have NoScript running, you will have to allow the Macromedia.com website to run scripts or you won’t see the control panel).
About the author
Ken Colburn of Data Doctors on June 4, 2010