Clickjacking: A Short Introduction

Although clickjacking has been around for a while, it’s not a method many people are aware of, although most of us have come in contact with it. Clickjacking is, in simple terms, a way of misleading users to click on a link they never intended to click on. Subsequently, this click is often used for malicious purposes, such as propagating a malicious website on social media sites and obtaining user account details.


Let’s take Facebook for example. You see a post with a link that hundreds or even thousands of people like, so you think to yourself: “What’s this fuzz all about? Let me find out!.” You proceed to click on the link within the post which takes you to a site where you can win a free iPad. Awesome! Free stuff! All they need from you is to click the >> WIN << button and it’s yours. So little work for an iPad!

After you click the button, nothing happens…Seemingly. Behind the scenes, you hit the like (or share button, or any link actually) button and helped this post get even more exposure. This button is hosted on a transparent iframe and therefore invisible.

These sort of clickjacking attacks are rather harmless. Double click campaigns, however, can propagate the posts, while allowing you to click on the WIN button as well, which might consequently take you to a site infected by malware. Many of your friends will also click on the clickjacking link (since you shared or liked it on Facebook and they trust you) and so will their friends, and so on, like a chain reaction.

Below is a video depicting another example (digg):

How can you stay protected?

You can use browser extensions such as NoScript (guide) or ScriptSafe to block scripts and use common sense. No one on the internet will give you free iPads or anything similar.