Clickjacking describes a Web page / browser attack where user initiated mouse clicks trigger an unintended action, such as disclosing passwords and other confidential information. This action is done primarily by hiding clickable Web page elements inside an invisible frame. Clickjacking can affect all the major Web browsers — Internet Explorer, Firefox, Safari, Chrome, and even Opera by exploiting vulnerabilities in embedded code or a script on a Web site.

For example, the attacker may create a set of “dummy” buttons that are loaded transparently on top of another page. The visitor thinks that they are clicking on the visible buttons when, in reality, they clicking on the buttons located on the hidden page. Another technique is known as text injection, where attacker controlled text is entered into a field on a Web form.

One of the more recent clickjacking attacks was made on Facebook in 2009.

In a recent white paper, Paul Stone, researcher for UK-based Context Information Security LTD, discusses new attacks that dupe users into activating malicious links on websites without their even knowing it. website developers should read the paper. There is also a browser-based clickjacking tool available to show website owners how easy their site could be clickjacked.

While much of the management against the risk against clickjacking involves best practices by site developers, there are a few things the Web user can do.

Firefox users can download the “no script” plug-in. It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, guarding your browser from some clickjacking attempts.

Internet Explorer 8 users can also mitigate the impact of attacks by logging out of sensitive websites when not in use or by using independent InPrivate Browsing sessions, which lets the user control whether or not IE saves browsing history, cookies, and other data.

Google Chrome now supports a security feature that helps sites defend against clickjacking attacks

While not immune to clickjacking attacks, Opera appears to have a decent built-in prevention.

Eric Schnell