What Is Clickjacking And How Do I Protect Myself?

There should be an image here!Q: What exactly is clickjacking and how do I protect myself from it? — Joan

A: Clickjacking is a malicious Web coding technique that presents visitors with buttons or items to click that actually do something different than what is being presented (click + hijacking).

There is literally an invisible layer of code that determines what will actually happen when you click on the visible buttons that are generally represented as common ‘submit,’ ‘click here,’ or even ‘cancel’ buttons.

Essentially, a clickjacking page tricks a user into performing undesired actions by clicking on a concealed link.

There are two technical ways for malicious sites to trick you via a clickjacking exploit.

JavaScript and Flash are Web coding systems that are very common across the Internet and both can be exploited to trick folks into clicking on something that will do something entirely different.

Clickjacking is not an operating system specific exploit, but a browser-based attack so it impacts Windows, Mac, and Linux users the same.

JavaScript is used by many Web sites for legitimate purposes, so disabling it in your browser will bypass clickjacking attempts but it isn’t very practical if you want the functionality that many Web sites offer (like site search, Web forms, etc.)

Having a tool that allows you to decide which sites can run JavaScript and which ones can’t is the best combination of protection and functionality at the moment.

The best tool for protecting yourself from rogue scripts is called NoScript and is a free add-in for Mozilla’s Firefox browser (not available for Internet Explorer or Google’s Chrome browser as of yet).

NoScript is a tool that basically stops all scripts from running until you say it’s OK to run them, so in the early stages of installing this tool, you will have to approve the running of scripts on every Web site that you visit in order to make full use of each site.

For instance, the first time you go to your bank’s Web site, you would click on the “Options” button in the NoScript toolbar that will appear at the bottom and then select Allow “banksite.com” to tell the program that it is OK to run scripts from this site from now on.

If you visit a site that you are not sure about, you can tell NoScript to temporarily allow scripts to run, which means that the next time you visit this particular site, the scripts will still be blocked.

Over time, you will have a customized NoScript filter based on the setting for each site that you regularly visit so it becomes more transparent.

If you decide to use this tool, you’ll have to remember that certain parts of any given Web site may not work properly until you tell NoScripts to allow them, because the scripts that normally run in the background will be blocked.

The other exploit involving clickjacking has to do with Adobe’s Flash Player software that is used to deliver animation and video on millions of sites. It’s possible for a malware author to create a Flash game that prompts you to click on items as they appear on the screen, but in the background you are authorizing the remote system to access your Webcam and microphone!

There are two ways to avoid being victimized by this exploit. The first is to make sure you have the latest version of Adobe’s Flash Player by going directly to Adobe’s site and manually downloading it.

The second is to make sure that you tell the Flash Player to Always Deny access to your Web cam & microphone by any of the Web sites that you visit. This can be set up by going to the online Global Privacy Settings panel located here (and remember, if you have NoScript running, you will have to allow the Macromedia.com Web site to run scripts or you won’t see the control panel).

Ken Colburn
Data Doctors Computer Services
Data Doctors Data Recovery Labs
Data Doctors Franchise Systems, Inc.
Weekly video tech contributor to CNN.com
Host of the award-winning “Computer Corner” radio show