About Clickjacking

Clickjacking - Wikipedia, the free encyclopedia

Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

Examples[edit]

A user might receive an email with a link to a video about a news item, but another valid page, say a product page on Amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.
Other known exploits include:

• Tricking users into enabling their webcam and microphone through Flash
• Tricking users into making their social networking profile information public
• Making users follow someone on Twitter^[8]
• Sharing links on Facebook^[9][10]

Likejacking[edit]

Likejacking is a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to "like".^[11] The term "likejacking" came from a comment posted by Corey Ballou in the article How to "Like" Anything on the Web (Safely),^[12] which is one of the first documented postings explaining the possibility of malicious activity regarding Facebook's "like" button.^[13]
According to an article in IEEE Spectrum, a solution to likejacking was developed at one of Facebook's hackathons.^[14] A "Like" bookmarklet is available that avoids the possibility of likejacking present in the Facebook Like Button.^[15]

Cursorjacking[edit]

Cursorjacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at Vulnerability.fr,^{[citation needed]} Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor.^[16][17]
Jordi Chancel discovered a cursorjacking vulnerability using flash, Html and JavaScript code in Mozilla Firefox on Mac OS X system (fixed in Firefox 30.0) that lead to arbitrary code execution and webcam spying ( Ref :http://www.mozilla.org/security/announce/2014/mfsa2014-50.html ), the severity of this bug is defined as 'High'.

Related articles

• Clickjacking, Cursorjacking, Likejacking (cleaninternetcharity.com)
• Symantec finds 15% of Facebook videos are likejacking attacks (zdnet.com)
• How to Avoid Facebook LikeJacking Scams (techie-buzz.com)
• Zscaler ThreatLabZ Tackles Facebook Likejacking (allfacebook.com)
• A Call To Stop The ClickJacking Menace With X-Frame-Options (traxarmstrong.com)
• Facebook adds speed bump to slow down likejackers (feedproxy.google.com)