Is your click secure? The hidden dangers of Clickjacking!

In today’s digital landscape, security is more important than ever.

Ever clicked without knowing what you are clicking on?

One of the lesser-known but increasingly relevant threats is?Clickjacking,?a technique that tricks users into clicking on something different from what they perceive, often leading to security breaches.

In this post, I’ll explain what Clickjacking is, how it works, and why it is essential for both developers and users to stay aware of this growing threat.

What is Clickjacking??

It is a technique of tricking users into clicking on something different from what the user perceives, thus creating a digital illusion.???

The hacker creates a fake layer over a web page that looks identical to a legitimate webpage. So, when any user clicks on the fake layer assuming it to be authentic, they click on the web page underneath this layer. These hidden web pages would cause the users to like or share a post or even make a purchase without their consent.??

The term Clickjacking is derived from Hijacking Clicks.??

*iframe - inline frame. HTML element that creates a rectangular area on a web page that can display another HTML document. It is like a window through which you can display content from another web page.*

Examples of Clickjacking

Scene - An attacker wants to trick users into liking their posts on social media without their consent. The attacker creates a web page that contains an iframe. This iframe loads the social media site. The attacker designs a button that says ‘Click for free gift.’ The button is visible and seems legitimate. Behind this button is an invisible iframe that covers the like button on social media. When the users visit the attacker’s page and click the enticing button, they click the invisible frame. This click registers as a like on the post.

Scene - An attacker wants to trick users into making a purchase on an online shopping site without their consent. The attacker creates a website that looks legitimate and enticing with advertising like ‘limited time offer.’ The attacker embeds an iframe that loads the checkout page of a popular online store. The attacker designs a button that says ‘Unlock Special Pricing.’ The button is visible and seems legitimate. Behind this button is the ‘Confirm Purchase’ button of the shopping site loaded in the iframe. When the user clicks on the visible button, they assume that they are unlocking any offer. But they are clicking on the hidden iframe leading to purchase confirmation on the shopping site. The user has no clue of what happened until they get an email or notification about a purchase they never intended to make.???

Difference between CSRF i.e. Cross-Site Request Forgery and Clickjacking

In clickjacking, an attacker tricks you into clicking on something different from what you think are clicking. The attacker puts an invisible frame over a legitimate website. When you click on what looks like a button, you click on something hidden underneath. You think you are pressing Play on any video. But you are giving the attacker permission to access your account. In CSRF, an attacker tricks your browser into making an unwanted action on the website where you are logged in. The attacker creates a link or form. When you click on it, your browser sends a request to the website pretending it is you. You logged into your bank account. You click a link in an email that makes a transfer without your knowledge.

Clickjacking tricks your clicks. CSRF tricks your session.

Why should Clickjacking be prevented??

Clickjacking manipulates users into performing unintended actions i.e. undermines user’s trust. If any user feels that they cannot safely interact with a website, they may avoid it, harming the reputation of the website. Also, the recovery process for the consequences of clickjacking is complex.

Defensive strategies against Clickjacking:

• Using content or ad blockers is an effective defense against clickjacking. These tools would prevent any malicious content from loading on the web pg. along with blocking ads.??
• A vulnerability scanning tool is essential for platforms like WordPress. Compromised social media plugins in WordPress could be manipulated to redirect likes to malicious content. So, a vulnerability scanning tool would help identify and patch any security weaknesses, thus reducing the risk of clickjacking.?
• Browsers could include UI indicators to alert users when a webpage is being framed. For ex. Browsers could display a small warning icon in the address bar when a webpage detects that it is being loaded within a frame. (A web page loaded within a frame means the content of this webpage is displayed inside a box on another page; the user would see the content of this web page but might not be aware that this content is displayed within a different webpage.)

• X-Frame-Options header controls whether a web page could be embedded within an iframe on another domain. The web server sends an HTTP response containing the X-Frame-Options header. This header instructs the browser on how to handle an attempt to load the web pg. within an iframe.??

Following are the directives that could be set within the X-Frame-Options header?

DENY: When the header is set to DENY, the browser will not display the web page within any iframe regardless of the origin of the request.

Ex. X-Frame-Options: DENY?

SAMEORIGIN: When the header is set to SAMEORIGIN, the browser will display the web page within an iframe only if the origin of the parent web page and the framed web page are the same.

Ex. X-Frame-Options: SAMEORIGIN?

ALLOW-FROM: When the header is set to ALLOW-FROM, the browser will display the web page within an iframe only if the origin of the framed web page is the same as the specified URL.

Ex. X-Frame-Options: ALLOW-FROM https://example.com?

• The Content Security Policy would help developers prevent clickjacking attacks by controlling the resources a browser could load for a specific web page.??

Following are the directives that could be set within a Content Security Policy.

frame-ancestors Directive: Through this header, the browser will display the web page within an iframe only if the origin of the parent web page is the same as the framed web page OR the origin of the framed web page is the same as the specified URL. Using ‘self’ implies, restricting embedding to the same origin as that of the parent web page.

Ex. Content-Security-Policy: frame-ancestors 'self' xyz.com?

default-src Directive: Through this header, the browser would get to know where the various types of content like scripts, images, and styles could be loaded from. The content could only be loaded from the same origin using ‘self’ or the specified origin (xyz.com) i.e. trusted sources.??

Ex. Content-Security-Policy: default-src 'self' xyz.com?

While Clickjacking may not always be in the spotlight, its impact could be significant. By staying informed and proactive, we could protect ourselves and others in an ever-evolving digital landscape.

Let’s stay vigilant, share knowledge, and take action to create a safer online environment for everyone.

Got any questions or tips on preventing Clickjacking? Drop them below!

#CyberSecurityAwareness #StaySafeOnline #TechSecurity #Clickjacking