Blog
Recent
Cybersecurity

What Is Clickjacking and How to Prevent It

Shireen StephensonPublishedAugust 26, 2025
bg
Subscribe & Save 20% off select plans

By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.

Browse articles

Recent clickjacking headlines may sound alarming, but here’s the good news. This isn’t an unforeseen Zero Day exploit, as some have said, but a series of known malicious techniques that could target users of any browser-based form fill solution.  

We want to assure you that LastPass takes these and any other threats very seriously, and we continually undertake new measures as required to protect your information. Without further ado, we’ll explore what clickjacking is and what are the new and existing measures we are putting in place to keep you safe.

Understanding Clickjacking

Definition and meaning of clickjacking

First, what is the root cause of clickjacking?

The term “clickjacking” refers to the hijacking of user clicks for malicious purposes.

It’s a client-side cyberattack, where malicious actors trick users into performing unintended actions.

Client-side attacks target end-user devices such as mobile phones, laptops, and desktops. 

The attacker uses a social engineering technique like phishing or smishing to trick users into visiting a counterfeit web page and claiming a “prize” they supposedly won. This decoy page contains seemingly legitimate user elements like buttons, icons, and links.

Once there, the user clicks on the “Claim Now” button, unaware they are simultaneously performing another action on a hidden page.

This hidden page is an iframe or invisible frame overlaid on top of the counterfeit page. Any actions performed here – even though unknown to the user – will almost certainly have negative real-world consequences

Ultimately, the root cause of clickjacking is the attacker’s desire for financial, social, or political gain -- achieved through the manipulation of a web page’s visual display.

How clickjacking attacks work

Do you enjoy shopping on Amazon? If so, you aren’t alone: the platform is one of the three most-visited ecommerce sites in the world (the other two being AliExpress and eBay).

Amazon accounts for almost 40% of e-commerce sales worldwide. For many users, staying logged in with 1-Click ordering enabled is a convenient option.

But it’s also a dangerous one. 

Imagine it’s Friday evening, and one of your family members is on Facebook, uploading pictures from a recent vacation. Suddenly, they see a pop-up ad for a hugely discounted plane ticket to Oahu, Hawaii’s third-largest island. Curious, they click on the ad.

Unbeknownst to them, the “Claim Your 75% Off Plane Ticket” button is positioned over an invisible “Buy Now” button for a waterproof GoPro camera on Amazon.

Once the ad button is clicked, the “Buy Now” button is activated, completing the purchase with Amazon’s 1-Click ordering.

Your bank then charges $399.99 to your credit card, which you’ll now have to dispute as a fraudulent transaction.

Examples of clickjacking attacks

So, what are examples of clickjacking?

Some of the most popular techniques include:

  • Likejacking: This type of attack tricks users into clicking “Like” unknowingly on social media platforms like Facebook. In 2010, Facebook users were tricked into liking a page called 101 Hottest Women in the World.
  • Cookiejacking: In this type of attack, hackers focus on exploiting browser vulnerabilities to steal your session cookies – so they can access saved or stored credit card data. 
  • Mousejacking: In a mousejacking attack, the hacker uses specially crafted hardware to intercept signals between a wireless mouse and PC.

After hijacking the signals, the hacker is able to control the legitimate mouse and type their own commands to the PC. This potentially allows them to run malicious scripts that can execute malware on your device.

  • Cursorjacking: Here, the attacker manipulates the position of your cursor. So, when you click on a legitimate button or link, your cursor simultaneously clicks on a hidden link that downloads malware to your device or directs you to a malicious page.

Newer cursorjacking techniques may leverage JavaScript or advanced CSS properties to create more convincing visual deceptions. Be sure to check whether your mouse and keyboard are susceptible to mousejack keystroke injection attacks.

  • Media Filejacking: This type of clickjacking attack was first reported in 2019. It allowed hackers to intercept and manipulate media files in external storage before they are displayed on the app’s user interface. Media clickjacking mostly affected WhatsApp and Telegram on Android devices.
  • Gesturejacking: Move over clickjacking; we now have gesturejacking. Here, the attacker creates a malicious OAuth app and URL. When you head to this seemingly innocent URL, you’re told to “Press and hold Enter to continue.” 

If you comply, a very small window is opened – and your long-press action is transferred to this new window. Because the window is opened in response to your gesture, it evades the typical pop-up blocker. Your long-press action activates the Authorize button for the malicious OAuth app. This then gives the attacker’s app instant API access to your personal, financial, and business data.

Types of Clickjacking Attacks

UI redressing as a clickjacking technique

Clickjacking is also generally known as an UI redress attack. 

As mentioned, this type of attack involves an invisible overlay on top of decoy elements like links and buttons. With clickjacking evolving into more advanced forms like gesturejacking (also known as cross-window forgery), prevention is key to your safety. This includes:

  • Regularly updating your browser
  • Remaining vigilant about unfamiliar prompts and URLs
  • Installing anti-clickjacking extensions

Clickjacking with prefilled form input

Here, attackers prefill login credentials that users unintentionally submit.

An example is overlaying an iframe with a prefilled form and invisible “Submit” button on top of a fake button that says, “Play video.

Let’s say the prefilled form contains your banking details, acquired from a high-profile breach

Once you click on the “Play” button, an unauthorized payment is made, which you’ll be liable for. 

Combining clickjacking with a DOM XSS attack

A dangerous attack involves a combination of clickjacking and exploiting a DOM Cross-Site Scripting (XSS) vulnerability to steal your login credentials

By injecting malicious scripts into a webpage’s Document Object Model (DOM), attackers can manipulate page elements to perform unauthorized actions

Here’s how this works: You visit a website that you trust and where you previously saved the password for in LastPass.  On your return, you click on a button that says, “Claim your free gift.” But underneath the button is a second malicious one you can’t see, which was made possible through hacking the website and inserting a new button and CSS (custom style sheet) with an opacity setting that’s set to zero.

Zero opacity makes the button invisible to the plain eye but still interactive. That button could be made to impersonate the site’s log in form and request the saved password be filled by LastPass. But it’s important to remember that DOM-based clickjacking depends on severe security flaws like XSS (cross-site scripting), where an attacker gains control of a site page (without the victim site knowing) and you also visit as well as interact with the malicious code. If you’re a LastPass customer, our system still protects you with automatic security features:

  • Personal and payment info: By default, we show a confirmation prompt for you to confirm before autofilling personal information. This means autofill won’t be triggered without your explicit consent.
  • Password logins: By default, LastPass will not autofill on sites where the current domain does not match the domain saved with your vault.  Also, know that if one of your saved logins would be subject to a clickjacking attack, only that credential is at risk, your entire vault contents are protected and cannot be exported.

Additionally, a new background security rule is in progress and will be included in all the upcoming browser extension Version 4.146.6 targeted by August 29, 2025. This security enhancement detects clickjacking tactics that employ zero opacity and will block autofilling when detected on a website.

  • Passkeys: If you use passkeys instead of passwords, these are more secure. A passkey is a ‘private key’ in your vault that signs a website authentication request and always remains safely in your vault.  They can only be used for the specific domain on which they were created.  (Note that it is also theoretically possible for a legitimate website to have been compromised by an attacker who has injected malicious code into that site. If this occurs, a user may use a passkey legitimately, but the attacker "piggybacks" on the session to view your account. The passkey itself is not compromised, but account data may be).

*Note, not all variants of clickjacking attacks rely on opacity, so we’re continuing to evaluate broader protections as well. 

Before we get to practical steps for protecting yourself, it’s vital to shine a light on the risks of clickjacking.

Implications of Clickjacking

Potential risks to user privacy and security

Clickjacking comes with three main risks:

  • Identity theft: This is the biggest risk of clickjacking. Identity theft shows no signs of waning – there's a victim every 22 seconds, and cases have tripled over the last decade.
  • Financial losses: During a clickjacking attack, the hacker can trick you into making fraudulent transactions or authorizing transfers that drain your accounts.
  • Privacy violations: One of the most frightening risks of clickjacking is the hijacking of webcams and microphones. In 2019, attackers managed to lure Mac users to a malicious site with embedded iframes. There, the users were tricked into launching Zoom meetings, giving the attackers immediate access to their webcams. Fortunately, the vulnerability (dubbed CVE-2019-13450) has since been patched.

Effects on online payment systems and social media platforms

As can be seen, attackers can leverage clickjacking attacks to redirect payments and steal banking details.

Meanwhile, social media platforms are favorite targets for likejacking, where attackers trick users into liking scam accounts or following accounts they never intended to support.

For example, you click on a button to watch a funny video or claim a coupon. However, the attacker overlays a hidden “Like” button over the video or coupon. Your click ends up endorsing misinformation about a food supplement, political figure, or religious issue.

Consequences of falling victim to clickjacking

Attackers can combine clickjacking with phishing to perform actions that negatively impact your business.

For example, your employee receives a phishing email that directs them to a clickjacking site to update their password

What your employee sees is a seemingly legitimate login form for their employee portal. 

They proceed to enter their current credentials into the visible form fields. Unbeknownst to them, they’re actually typing into an invisible login form that’s positioned precisely over the visible (fake) form.

Without knowing it, your employee has now compromised your organization’s employee, trade, and financial data

At this point, many people ask, “Is clickjacking a serious vulnerability today?”

It's important to note that modern browser security measures can largely prevent these types of attacks today, but new threats emerge daily. To protect your business, it’s important to keep all software patched, implement client and server-side protections, and leverage domain-verified auto filling and encrypted credential storage.

Read on to find out how you can do this.

Website Defense Techniques

Using the frame-ancestors directive in a Content Security Policy (CSP)

So, what is the solution for clickjacking?

According to OWASP, there are both client-side and server-side solutions on the market.

Client-side solutions include browser extensions like NoScript (primarily for Mozilla Firefox) that prevents the execution of JavaScript, Flash, and other plugins without explicit permission from you.

Meanwhile, software solutions like GuardedID secures browser interactions, so your keystrokes aren’t intercepted. GuardedID’s NoClickjack browser extension protects you on these browsers: Microsoft Edge, Mozilla Firefox, Safari, and Google Chrome.

For server-side solutions, we have frame busting techniques like the frame-ancestors directive in CSPs and X-Frame-Options

First, we’ll discuss a Content Security Policy (CSP), which is a Web standard specifying which domains or subdomains can embed elements into a web page. It’s effective against client-side attacks like XSS and clickjacking.

The CSP was created by the World Wide Web Consortium (W3C), the international organization responsible for the technical standards and guidelines that ensure the Web’s continued viability.

As of 2024, the CSP is still in the Working Draft stage; although widely implemented in most modern web browsers, it isn’t yet a finalized W3C Recommendation.

A CSP is generally implemented using an HTTP response header. The header contains one or more directives – these are rules or security instructions defining the types of content a browser can load and the trusted sources from which they can be loaded.

For example, the frame-ancestors directive is particularly effective against clickjacking because it prevents unauthorized third parties from embedding iframes into your webpages.

An example of a CSP with a frame-ancestors directive is frame-ancestors self. Here, only the site’s own domain (‘self’) and specific trusted sites can load the page in an iframe.

script-src 'self' js.example.com

  • script-src governs JavaScript sources
  • ‘self’ means a JavaScript script can be downloaded from the same origin as the current page. So, if your page is at https://example.com, then the same origin would be https://example.com
  • js.example.com specifies an extra source from which scripts can be loaded. 

Meanwhile, frame-ancestors ‘none’ prevents all iframes from being embedded in a web page.

Utilizing X-Frame-Options Response Headers

The X-Frame-Options HTTP response header is an older directive which tells your browser how to handle iframe embedding

The X-Frame-Options (obsoleted by the frame-ancestors directive) provides three security instructions:

DENY: The page can’t be displayed in an iframe, no matter where the request originates.

SAMEORIGIN: The page can be displayed in an iframe, but only by requests from the same domain.

ALLOW-FROM: The page can be displayed in an iframe, but only by requests from specific trusted domains. This directive is deprecated (usable but regarded as obsolete) in modern browsers.

Generally, the X-Frame-Options directive is still applicable in 2024, but cybersecurity professionals recommend the CSP header with the frame-ancestors directive for more robust, fine-grained control over framing actions.

For example, you can implement X-Frame-Options with CSP frame-ancestors in Apache and NGINX (web servers that handle HTTP requests). Older browsers that don’t support CSP will fall back on X-Frame-Options. 

So, using both X-Frame-Options and CSP frame-ancestors provides a powerful defense against clickjacking in a wide range of browsers.

You can also combine the above with a Sameorigin Policy (SOP), which restricts how scripts from one origin (or domain) can interact with resources from another origin.

Enhancing Security with SameSite Cookies

SameSite cookies are a security feature that can help prevent both Cross-Site Request Forgery (CSRF) and clickjacking attacks.

Proper configuration of SameSite cookies ensures sensitive cookies (such as session cookies) are sent across domains only in specific contexts.

STRICT: The cookie is only sent in first-party requests. This means a cookie won’t be sent if you click a link from another site. For example, you’re logged into GitHub and click a link to a private GitHub project from an external corporate discussion forum. With the STRICT option, you won’t be able to see the project; you’ll have to log in again to gain access to it.

LAX: The cookie is sent when following a request from a normal, external link (like the one described in the above GitHub scenario). However, it won’t be sent in POST requests because this type of request is vulnerable to CSRF (cross-site request forgery) attacks. Here’s why: POST requests are often used for actions like transferring funds or completing purchases, prime targets for CSRF attacks.

NONE: The cookie is sent in all requests. However, when using SameSite=None, the Secure attribute must also be included, so that the cookie is only sent over HTTPS connections.

Protecting Yourself from Clickjacking with LastPass

Auto filling for passwords

The ease and security of Autofill is yours to enjoy with a LastPass subscription. 

Here are four (4) more easy steps to stay safe:

  • Lock your vault when not in use to ensure that autofill features are completely inaccessible.
  • Always exercise caution when visiting any website. Malicious or compromised pages are built to accelerate your engagement with them.
  • Turn off autofill for all sites if you want maximum control. Or you can choose to disable it only for select sites. Note, however, that disabling autofill entirely may reduce convenience and increase the risk of password reuse or phishing.
  • Use “Never URLs” for your most sensitive sites. This prevents LastPass from offering to fill credentials on those domains.

MFA integration

At LastPass, our FIDO2 MFA options are your secure defense against identity theft. Even if attackers somehow manage to access your login credentials, they’ll still need to bypass the cryptographically secured process that involves you and your device or other second authentication factor.

With LastPass, you get superior protection with your choice of push notifications and TOTP, passkeys or hardware security keys like YubiKey.

Dark web monitoring

We think Dark Web Monitoring is so important we’ve given all LastPass users (even those on free plans) access to it. With Dark Web Monitoring, you’ll never go a day without the security of knowing you’re protected. If your credentials end up on the Dark Web, we send you an alert so you can instantly generate a new, secure password with our Password Generator.

Encrypted vault and encrypted URLs

With LastPass, your vault is protected with an ironclad, military-grade AES-GCM-256 encryption

This means every credential you or your employees enter in a LastPass vault is unreadable to hackers – and anyone at LastPass. Your LastPass vault also securely encrypts URLs. With URL encryption, attackers can’t tell which of your login credentials belong to your email, banking, or social media accounts (even if they somehow manage to access your vault).  

And that’s not all: We continue to add cryptographic enhancements to stay ahead of the curve.

At LastPass, we never stop working to ensure your safety and security.

Share this post via:share on linkedinshare on xshare on facebooksend an email