We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Clickjacking attacks possible despite framebusting protection

Security researcher demonstrates that clickjacking protection implemented in browsers does not stop all such attacks

The so-called framebusting mechanism implemented in browsers to help websites prevent clickjacking attacks doesn't live up to expectations, according to Google security engineer and Web security researcher Michal Zalewski, who released proof-of-concept code to demonstrate it.

"JavaScript allows you to exploit human cognitive abilities to a remarkable extent; tools such as window positioning, history.forward() and history.back() open some scary possibilities that we are completely unprepared to deal with," Zalewski said on his website.

"I wanted to showcase another crude proof-of-concept illustrating why our response to clickjacking -- and the treatment of it as a very narrow challenge specific to mouse clicks and <iframe> tags -- is somewhat short-sighted," he added.

Clickjacking, also known as user interface (UI) redressing, is a type of attack whose purpose is to trick users into performing unauthorized actions by misrepresenting the content displayed in their browsers.

The biggest problem with detecting and blocking clickjacking is that it uses legitimate Web programming techniques to achieve the malicious goal. The most common implementations use CSS code to make content loaded in an iframe invisible and superimpose it on a legitimate-looking element.

The technique has regularly been used in Facebook attacks to trick users into liking spam pages by making the Like button invisible and placing it on top of a button that appeared to do something else.

In order to prevent such attacks, webmasters have long used JavaScript code to block their websites from being loaded in iframes. This type of protection is known as framebusting.

Over time, browser vendors implemented a special HTTP header called X-Frame-Options that can used by websites to tell browsers not to load certain pages into external iframes. However, Michal Zalewski believes that this protection is insufficient and has developed a proof-of-concept clickjacking attack to prove it.

According to the security researcher, there are other solutions for protecting against a wider scope of clickjacking attacks, but they aren't popular with browser vendors at the moment because they are more complicated.

The popular NoScript security extension for Firefox is considered good at detecting and blocking clickjacking attacks, but it also has a high false-positive rate. This is not a big issue at the moment, because the add-on is aimed at power users who have enough knowledge to make decisions on their own.

However, implementing something like this directly into a browser that's used by millions of non-technical individuals is not something vendors are likely to do.


IDG UK Sites

Moto G2 (2014) vs Moto E comparison review: New Moto G is worth the extra cash

IDG UK Sites

Is Apple losing confidence in itself?

IDG UK Sites

Oculus Rift 'Crescent Bay' prototype hands-on: it's an amazing experience

IDG UK Sites

How (and where) to buy an iPhone 6 or iPhone 6 Plus in the UK. Plus: What to do if you pre-ordered...