Hijacked, No – Clickjacked!
Oh I was reading a article by Robert Hansen and Jeremiah Grossman on Clickjacking. This sounds similar to hijacking and more or less is the same. Though I had heard about this before but did not knew how much harm it can do.
So, what’s clickjacking. It’s hijacking your mouse click for malicious intent. It’s done by loading a critical web page containing confidential information in an invisble frame in front of the page created by the cracker. So, when you are just playing or clicking a button you see on the web page you could be actually pressing another hidden button which could do much harm like deleting your mails, emptying your bank account or even monitoring you with your own webcam and microphone.
How it’s done?
Let’s take an example to understand clickjacking. Let us assume you are viewing your mails in your inbox in one tab of the browser. In the mean time you load a web page of a cracker, name it Crac. Crac’s innocent looking webpage contains a script to load the mail’s website in a invisible iframe in front of it’s original webpage. Meanwhile you press a button on Crac’s webpage and what really happens that you end up clicking ‘delete all mails’ button on your mail service. Your mails are gone forever.
You got worried on losing your mails, huh? Well, thank God for it wasn’t your bank’s online account or you had been ending up losing all your money to Crac. Also, if it had access to some plugin like Adobe Flash (now fixed) they could even spy on you using your own webcam.
Finally the good news and the bad news. Bad news – You are at mercy of a malicious cracker and he could do as much harm to you as he likes until this exploit is fixed. Good news – Many organisations like Adobe, Google have come up with a solution for busting frames to protect their services but their effectiveness is unevaluated.
For more info read this original paper:
ZzLOGC Excellent article, I will take note. Many thanks for the story!