Clickjacking: Definition, Defense & Prevention
Clickjacking occurs when a hacker hides hyperlinks behind the content visible to users in order to steal clicks.
A clickjacking attack begins with deception. You encounter a form, button, or another item you can manipulate. Clicking on that item results in an action you never intended.
For example, you're shown a popup screen on a website, and a large button says, "Click to close this window." When you tap that button, you're also liking the company's Facebook page, even though you never intended to do so.
Clickjacking attacks can cause you to:
- Download malware
- Hand out protected information
- Transfer money
- Purchase products
- Offer unwanted social proof
As a consumer, it's important to understand how these attacks work and how you can protect yourself. As an IT professional, it's critical to build sites that are resistant to common clickjacking approaches.
What Is Clickjacking?
A hacker creates an innocent-seeming web page, button, or form. Multiple layers make up the item. The version you see seems innocent enough. But a layer beneath holds code that can harm you.
Consider this real-world clickjacking example from Facebook:
- Bait. Developers created a web page filled with funny pictures, and they encouraged people to click through to see them.
- Hook. When visitors hit the page, they saw a screen asking them to confirm they were at least 16 years old.
- Switch. Clicking "yes" allowed the people to enter the site. But they also posted a link to the content on their Facebook wall at the same time.
In this example, people didn't intend to share the post on Facebook. But the attack hijacked their click on "yes.”
This visual diagram explains how the concept works: https://www.imperva.com/learn/wp-content/uploads/sites/13/2019/01/Clickjacking.png.webp
How Does Clickjacking Work?
Layers, deception, and programming allow for clickjacking attacks. Unfortunately, the technique is common. Analysts say two-thirds of the top 20 banking sites are susceptible to this form of hack.
Common clickjacking techniques include:
- Browserless. Hackers use mobile devices to execute an attack. A tiny delay between a person's action and the server response allows for manipulation.
- Classic. Hidden layers on web pages take over a user's actions.
- Cookiejacking. A user interacts with a seemingly harmless object, and the hacker gains access to the user's cookies from all applicable web browsers. Cookies hold a great deal of data, so this can be a devastating attack.
- Cursorjacking. A hacker changes the way a cursor operates, and the hacker could gain access to the user's camera in the ensuing chaos.
- Filejacking. The hacker gains deep control of your device and turns it into a file server.
- Likejacking. The hacker tricks you into liking a Facebook or other social media account.
The code behind clickjacking is sophisticated. These attacks aren't created or executed by amateurs.
The best clickjacking attacks are also invisible to the user, so you may never know that anyone has control of your device, your data, or both until it's too late.
6 Clickjacking Prevention Techniques
You want every action you take on a website to be meaningful and useful. And as a designer, you want your visitors to trust you and your work. Using prevention tools can help you achieve both goals.
Block clickjacking attacks with:
- Secure browsers. Some companies are building tight, tailored programs that eliminate common clickjacking risks. Research which browsers take this threat into account. And as a designer or developer, make sure your sites work in these alternate browsers.
- GuardedID. Billed as "keystroke encryption software," GuardedID aims to eliminate clickjacking. The software works on both PCs and Macs.
- Intersection Observer. This API makes click actions visible, so people have the information they need to make smart decisions online.
- Browser extensions. Customers can use NoClickjack in Chrome or NoScript in Firefox to eliminate attacks as they browse the web.
- X-Frame-Options. Use this HTTP header as you design your website. Tell the browser whether the page should be rendered as a frame, iframe, embed, or object.
- Content-Security-Policy. Use the frame-ancestors directive within the content-security-policy header to designate a set of trusted origins that can iframe a resource. Setting it to ‘Self’ ensures that the iframe src and the parent page are on the same domain.
Developers and consumers argue over which approach is most effective. Some swear by X-frames, for example, as they believe prevention should come from developers and not consumers. But others say X-frames come with too many limitations to be effective. Savvy coders can work around almost any obstacle.
In the end, combining your tools and encouraging your customers to be alert about the sites they visit and the work they do online is the best way to block hackers before they take over.
More Security Options Through Okta
Ensure that you give your employees a safe space for their electronic work. Use our platform to manage logins, authentication, and authorization.
The Clickjacking Bug That Facebook Won't Fix. (December 2018). Bleeping Computer.
Clickjacking Threatens Two-Thirds of Top 20 Banking Sites. (November 2020). Infosecurity.
Trust is Good, Observation Is Better: Intersection Observer v2. (February 2021). Web.Dev.
NoClickJack. Chrome Web Store.
No Script. Inform Action Open Source Software.
X-Frame Options. Mozilla.
Clickjacking Attack on Facebook: How a Tiny Attribute Can Save the Corporation. (January 2019). Security Boulevard.