Clickjacking facts for kids
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
It is a browser security issue that is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. The term "clickjacking" was coined by Jeremiah Grossman and Robert Hansen in 2008.
Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden/invisible page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
A user might receive an email with a link to a video about a news item, but another webpage, say a product page on Amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon. The hacker can only send a single click, so they rely on the fact that the visitor is both logged into Amazon.com and has 1-click ordering enabled.
Other known exploits include:
- Tricking users into enabling their webcam and microphone through Flash (though this has since been fixed since originally reported)
- Tricking users into making their social networking profile information public
- Downloading and running a malware (malicious software) allowing to a remote attacker to take control of others computers
- Making users follow someone on Twitter
- Sharing or liking links on Facebook
- Getting likes on Facebook fan page or +1 on Google Plus
- Playing YouTube videos to gain views
- Following someone on Facebook
Likejacking is a malicious technique of tricking users of a website into "liking" a Facebook page that they did not intentionally mean to "like". The term "likejacking" came from a comment posted by Corey Ballou in the article How to "Like" Anything on the Web (Safely), which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.
Clickjacking Facts for Kids. Kiddle Encyclopedia.