February 12, 2009

What is Clickjacking and how to prevent it?

Clickjacking is a technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

Due to a vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function.

As per the latest security research, Google Chrome and Firefox are affected. Microsoft says that its newest browser IE8 is immune to clickjacking. But even this is said to be just a band-aid solution.

So, how do you prevent it? There is no native protection against clickjacking in Firefox. But you can prevent it by installing the No Script addon. Its recent update has a new Clear Click feature which goes a long way in preventing the fraud.

As for IE, the recent release of IE8 RC1 includes a new partial ClickJacking prevention option. This feature works when a website developer adds a tag in a page header that will help detect and prevent frame-based UI Redressing. Whenever anyone visits a web page with such tags inserted, the browser will show an error message prompting the user to open the content in a new window along with the message indicating that the content host has chosen not to allow their content to be framed.

No comments: