Protecting Yourself Against 'Clickjacking'

Question

What exactly is clickjacking and how do I protect myself from it?

- Joan

Answer

This question was answered on June 4, 2010. Much of the information contained herein may have changed since posting.

Clickjacking is a malicious web coding technique that presents visitors with buttons or items to click that actually do something different than what is being presented (click hijacking).

There is literally an invisible layer of code that determines what will actually happen when you click on the visible buttons that are generally represented as common submit, click here or even Cancel buttons.

Essentially, a clickjacking page tricks a user into performing undesired actions by clicking on a concealed link.

There are two technical ways for malicious sites to trick you via a clickjacking exploit.

JavaScript and Flash are web coding systems that are very common across the Internet and both can be exploited to trick folks into clicking on something that will do something entirely different.

Clickjacking is not an operating system specific exploit, but a browser-based attack so it impacts Windows, Mac and Linux users the same.

JavaScript is used by many websites for legitimate purposes, so disabling it in your browser will bypass clickjacking attempts but it isnt very practical if you want the functionality that many websites offer (like site search, web forms, etc.)

Having a tool that allows you to decide which sites can run JavaScript and which ones cant is the best combination of protection and functionality at the moment.

The best tool for protecting yourself from rogue scripts is called NoScript ( http://noscript.net/getit ) and is a free add-in for Mozillas Firefox browser (not available for Internet Explorer or Googles Chrome browser as of yet).

NoScript is a tool that basically stops all scripts from running until you say its OK to run them, so in the early stages of installing this tool, you will have to approve the running of scripts on every website that you visit in order to make full use of each site.

For instance, the first time you go to your banks website, you would click on the Options button in the NoScript toolbar that will appear at the bottom and then select Allow banksite.com to tell the program that it is OK to run scripts from this site from now on.

If you visit a site that you are not sure about, you can tell NoScript to temporarily allow scripts to run, which means that the next time you visit this particular site, the scripts will still be blocked.

Over time, you will have a customized NoScript filter based on the setting for each site that you regularly visit so it becomes more transparent.

If you decide to use this tool, YOULL HAVE TO REMEMBER THAT CERTAIN PARTS OF ANY GIVEN WEBSITE MAY NOT WORK PROPERLY until you tell NoScripts to allow them, because the scripts that normally run in the background will be blocked.

The other exploit involving clickjacking has to do with Adobes Flash Player software that is used to deliver animation and video on millions of sites Its possible for a malware author to create a Flash game that prompts you to click on items as they appear on the screen, but in the background you are authorizing the remote system to access your webcam and microphone!

There are two ways to avoid being victimized by this exploit The first is to make sure you have the latest version of Adobes Flash Player by going directly to Adobes site and manually downloading it: http://get.adobe.com/flashplayer .

The second is to make sure that you tell the Flash Player to Always Deny access to your webcam & microphone by any of the websites that you visit This can be setup by going to the online Global Privacy Settings panel located here: http://bit.ly/dsQsBp (& remember, if you have NoScript running, you will have to allow the Macromedia.com website to run scripts or you wont see the control panel).

Need Help with this Issue?

We help people with technology! It's what we do.
Schedule an Appointment with a location for help!

Author

Posted by Ken of Data Doctors on June 4, 2010