What Is Clickjacking and How to Prevent It

Do you enjoy shopping on Amazon? If so, you aren’t alone: the platform is one of the three most-visited ecommerce sites in the world (the other two being AliExpress and eBay).

Amazon accounts for almost 40% of e-commerce sales worldwide. For many users, staying logged in with 1-Click ordering enabled is a convenient option.

But it’s also a dangerous one. 

Imagine it’s Friday evening, and one of your family members is on Facebook, uploading pictures from a recent vacation. Suddenly, they see a pop-up ad for a hugely discounted plane ticket to Oahu, Hawaii’s third-largest island. Curious, they click on the ad.

Unbeknownst to them, the “Claim Your 75% Off Plane Ticket” button is positioned over an invisible “Buy Now” button for a waterproof GoPro camera on Amazon.

Once the ad button is clicked, the “Buy Now” button is activated, completing the purchase with Amazon’s 1-Click ordering.

Your bank then charges $399.99 to your credit card, which you’ll now have to dispute as a fraudulent transaction.

Examples of clickjacking attacks

So, what are examples of clickjacking?

Some of the most popular techniques include:

• Likejacking: This type of attack tricks users into clicking “Like” unknowingly on social media platforms like Facebook. In 2010, Facebook users were tricked into liking a page called 101 Hottest Women in the World.
• Cookiejacking: In this type of attack, hackers focus on exploiting browser vulnerabilities to steal your session cookies – so they can access saved or stored credit card data. 
• Mousejacking: In a mousejacking attack, the hacker uses specially crafted hardware to intercept signals between a wireless mouse and PC.

After hijacking the signals, the hacker is able to control the legitimate mouse and type their own commands to the PC. This potentially allows them to run malicious scripts that can execute malware on your device.

• Cursorjacking: Here, the attacker manipulates the position of your cursor. So, when you click on a legitimate button or link, your cursor simultaneously clicks on a hidden link that downloads malware to your device or directs you to a malicious page.

Newer cursorjacking techniques may leverage JavaScript or advanced CSS properties to create more convincing visual deceptions. Be sure to check whether your mouse and keyboard are susceptible to mousejack keystroke injection attacks.

• Media Filejacking: This type of clickjacking attack was first reported in 2019. It allowed hackers to intercept and manipulate media files in external storage before they are displayed on the app’s user interface. Media clickjacking mostly affected WhatsApp and Telegram on Android devices.
• Gesturejacking: Move over clickjacking; we now have gesturejacking. Here, the attacker creates a malicious OAuth app and URL. When you head to this seemingly innocent URL, you’re told to “Press and hold Enter to continue.” 

If you comply, a very small window is opened – and your long-press action is transferred to this new window. Because the window is opened in response to your gesture, it evades the typical pop-up blocker. Your long-press action activates the Authorize button for the malicious OAuth app. This then gives the attacker’s app instant API access to your personal, financial, and business data.

Types of Clickjacking Attacks

UI redressing as a clickjacking technique

Clickjacking is also generally known as an UI redress attack. 

As mentioned, this type of attack involves an invisible overlay on top of decoy elements like links and buttons. With clickjacking evolving into more advanced forms like gesturejacking (also known as cross-window forgery), prevention is key to your safety. This includes:

• Regularly updating your browser
• Remaining vigilant about unfamiliar prompts and URLs
• Installing anti-clickjacking extensions

Clickjacking with prefilled form input

Here, attackers prefill login credentials that users unintentionally submit.

An example is overlaying an iframe with a prefilled form and invisible “Submit” button on top of a fake button that says, “Play video.”

Let’s say the prefilled form contains your banking details, acquired from a high-profile breach. 

Once you click on the “Play” button, an unauthorized payment is made, which you’ll be liable for. 

Combining clickjacking with a DOM XSS attack

A dangerous attack involves a combination of clickjacking and exploiting a DOM Cross-Site Scripting (XSS) vulnerability to steal your login credentials. 

By injecting malicious scripts into a webpage’s Document Object Model (DOM), attackers can manipulate page elements to perform unauthorized actions. 

Here’s how this works: You visit a website that you trust and where you previously saved the password for in LastPass.  On your return, you click on a button that says, “Claim your free gift.” But underneath the button is a second malicious one you can’t see, which was made possible through hacking the website and inserting a new button and CSS (custom style sheet) with an opacity setting that’s set to zero.

Zero opacity makes the button invisible to the plain eye but still interactive. That button could be made to impersonate the site’s log in form and request the saved password be filled by LastPass. But it’s important to remember that DOM-based clickjacking depends on severe security flaws like XSS (cross-site scripting), where an attacker gains control of a site page (without the victim site knowing) and you also visit as well as interact with the malicious code. If you’re a LastPass customer, our system still protects you with automatic security features:

• Personal and payment info: By default, we show a confirmation prompt for you to confirm before autofilling personal information. This means autofill won’t be triggered without your explicit consent.
• Password logins: By default, LastPass will not autofill on sites where the current domain does not match the domain saved with your vault.  Also, know that if one of your saved logins would be subject to a clickjacking attack, only that credential is at risk, your entire vault contents are protected and cannot be exported.

Additionally, a new background security rule is in progress and will be included in all the upcoming browser extension Version 4.146.6 targeted by August 29, 2025. This security enhancement detects clickjacking tactics that employ zero opacity and will block autofilling when detected on a website.

• Passkeys: If you use passkeys instead of passwords, these are more secure. A passkey is a ‘private key’ in your vault that signs a website authentication request and always remains safely in your vault.  They can only be used for the specific domain on which they were created.  (Note that it is also theoretically possible for a legitimate website to have been compromised by an attacker who has injected malicious code into that site. If this occurs, a user may use a passkey legitimately, but the attacker "piggybacks" on the session to view your account. The passkey itself is not compromised, but account data may be).

*Note, not all variants of clickjacking attacks rely on opacity, so we’re continuing to evaluate broader protections as well. 

Before we get to practical steps for protecting yourself, it’s vital to shine a light on the risks of clickjacking.

Implications of Clickjacking

Potential risks to user privacy and security

Clickjacking comes with three main risks:

• Identity theft: This is the biggest risk of clickjacking. Identity theft shows no signs of waning – there's a victim every 22 seconds, and cases have tripled over the last decade.
• Financial losses: During a clickjacking attack, the hacker can trick you into making fraudulent transactions or authorizing transfers that drain your accounts.
• Privacy violations: One of the most frightening risks of clickjacking is the hijacking of webcams and microphones. In 2019, attackers managed to lure Mac users to a malicious site with embedded iframes. There, the users were tricked into launching Zoom meetings, giving the attackers immediate access to their webcams. Fortunately, the vulnerability (dubbed CVE-2019-13450) has since been patched.

Effects on online payment systems and social media platforms

As can be seen, attackers can leverage clickjacking attacks to redirect payments and steal banking details.

Meanwhile, social media platforms are favorite targets for likejacking, where attackers trick users into liking scam accounts or following accounts they never intended to support.

Meanwhile, software solutions like GuardedID secures browser interactions, so your keystrokes aren’t intercepted. GuardedID’s NoClickjack browser extension protects you on these browsers: Microsoft Edge, Mozilla Firefox, Safari, and Google Chrome.

For server-side solutions, we have frame busting techniques like the frame-ancestors directive in CSPs and X-Frame-Options. 

First, we’ll discuss a Content Security Policy (CSP), which is a Web standard specifying which domains or subdomains can embed elements into a web page. It’s effective against client-side attacks like XSS and clickjacking.

The CSP was created by the World Wide Web Consortium (W3C), the international organization responsible for the technical standards and guidelines that ensure the Web’s continued viability.

As of 2024, the CSP is still in the Working Draft stage; although widely implemented in most modern web browsers, it isn’t yet a finalized W3C Recommendation.

A CSP is generally implemented using an HTTP response header. The header contains one or more directives – these are rules or security instructions defining the types of content a browser can load and the trusted sources from which they can be loaded.

For example, the frame-ancestors directive is particularly effective against clickjacking because it prevents unauthorized third parties from embedding iframes into your webpages.

An example of a CSP with a frame-ancestors directive is frame-ancestors ‘self.’ Here, only the site’s own domain (‘self’) and specific trusted sites can load the page in an iframe.

script-src 'self' js.example.com

• script-src governs JavaScript sources
• ‘self’ means a JavaScript script can be downloaded from the same origin as the current page. So, if your page is at https://example.com, then the same origin would be https://example.com
• js.example.com specifies an extra source from which scripts can be loaded. 

Meanwhile, frame-ancestors ‘none’ prevents all iframes from being embedded in a web page.

Utilizing X-Frame-Options Response Headers

The X-Frame-Options HTTP response header is an older directive which tells your browser how to handle iframe embedding. 

The X-Frame-Options (obsoleted by the frame-ancestors directive) provides three security instructions:

DENY: The page can’t be displayed in an iframe, no matter where the request originates.

SAMEORIGIN: The page can be displayed in an iframe, but only by requests from the same domain.

Auto filling for passwords

The ease and security of Autofill is yours to enjoy with a LastPass subscription. 

Here are four (4) more easy steps to stay safe:

• Lock your vault when not in use to ensure that autofill features are completely inaccessible.
• Always exercise caution when visiting any website. Malicious or compromised pages are built to accelerate your engagement with them.
• Turn off autofill for all sites if you want maximum control. Or you can choose to disable it only for select sites. Note, however, that disabling autofill entirely may reduce convenience and increase the risk of password reuse or phishing.
• Use “Never URLs” for your most sensitive sites. This prevents LastPass from offering to fill credentials on those domains.

MFA integration

At LastPass, our FIDO2 MFA options are your secure defense against identity theft. Even if attackers somehow manage to access your login credentials, they’ll still need to bypass the cryptographically secured process that involves you and your device or other second authentication factor.

With LastPass, you get superior protection with your choice of push notifications and TOTP, passkeys or hardware security keys like YubiKey.

Dark web monitoring