There’s a nasty new security threat making waves on the web. Actually, clickjacking, as this attack is known, isn’t entirely new, but because no one has yet come up with an effective solution, it remains a serious threat. And clickjacking is the worst sort of security risk — it’s transparent to the unwitting user, simple to implement and difficult to stop.
The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.
To complicate matters, clickjacking is also a really cool, potentially effective user design tool. For an example of a benign case of clickjacking, consider the NoScript website, which uses the technique for positive ends.
NoScript is a Firefox plugin that stops JavaScript from running in your browser. The plugin is available through the Firefox add-ons site or through developer Giorgio Maone’s dedicated site. Now, as Firefox users know, when you try to load an add-on through a third-party site, the browser will block the attempt and show you a warning.
In the case of Maone’s site, it means an extra step is required for users to install the NoScript plugin. So Maone simply loads the Firefox add-on page in an iFrame, sets the content of the iFrame to visible:0 and then positions the frame over his own download button. The result is that while the user thinks they are clicking the download button on the current page, they are in fact clicking the download button from the Firefox add-ons page.
Because the Firefox add-ons page is a trusted source, Firefox doesn’t block the download, and users are able to get the plugin installed in a single click. While you could argue that this is still somewhat sneaky, it does make for a better UI experience on Maone’s site.
Read the full article
here.
