What is clickjacking and how do I protect myself?

What exactly is clickjacking and how do I protect myself from it?

Clickjacking is a malicious web coding technique that presents visitors with buttons or items to click that actually do something different than what is being presented (click + hijacking).

There is literally an invisible layer of code that determines what will actually happen when you click on the visible buttons that are generally represented as common ‘submit’, ‘click here’ or even ‘Cancel’ buttons.

Essentially, a clickjacking page tricks a user into performing undesired actions by clicking on a concealed link.

There are two technical ways for malicious sites to trick you via a clickjacking exploit.

JavaScript and Flash are web coding systems that are very common across the Internet and both can be exploited to trick folks into clicking on something that will do something entirely different.

Clickjacking is not an operating system specific exploit, but a browser-based attack so it impacts Windows, Mac and Linux users the same.

JavaScript is used by many websites for legitimate purposes, so disabling it in your browser will bypass clickjacking attempts but it isn’t very practical if you want the functionality that many websites offer (like site search, web forms, etc.)

Having a tool that allows you to decide which sites can run JavaScript and which ones can’t is the best combination of protection and functionality at the moment.

The best tool for protecting yourself from rogue scripts is called NoScript ( http://noscript.net/getit ) and is a free add-in for Mozilla’s Firefox browser (not available for Internet Explorer or Google’s Chrome browser as of yet).

NoScript is a tool that basically stops all scripts from running until you say it’s OK to run them, so in the early stages of installing this tool, you will have to approve the running of scripts on every website that you visit in order to make full use of each site.

For instance, the first time you go to your bank’s website, you would click on the “Options” button in the NoScript toolbar that will appear at the bottom and then select Allow “banksite.com” to tell the program that it is OK to run scripts from this site from now on.

If you visit a site that you are not sure about, you can tell NoScript to temporarily allow scripts to run, which means that the next time you visit this particular site, the scripts will still be blocked.

Over time, you will have a customized NoScript filter based on the setting for each site that you regularly visit so it becomes more transparent.

If you decide to use this tool, YOU’LL HAVE TO REMEMBER THAT CERTAIN PARTS OF ANY GIVEN WEBSITE MAY NOT WORK PROPERLY until you tell NoScripts to allow them, because the scripts that normally run in the background will be blocked.

The other exploit involving clickjacking has to do with Adobe’s Flash Player software that is used to deliver animation and video on millions of sites. It’s possible for a malware author to create a Flash game that prompts you to click on items as they appear on the screen, but in the background you are authorizing the remote system to access your webcam and microphone!

There are two ways to avoid being victimized by this exploit. The first is to make sure you have the latest version of Adobe’s Flash Player by going directly to Adobe’s site and manually downloading it: http://get.adobe.com/flashplayer .

The second is to make sure that you tell the Flash Player to Always Deny access to your webcam & microphone by any of the websites that you visit. This can be setup by going to the online Global Privacy Settings panel located here: http://bit.ly/dsQsBp (& remember, if you have NoScript running, you will have to allow the Macromedia.com website to run scripts or you won’t see the control panel).