Clickjacking is the mechanism that misleads users when they follow a link to any site; it redirects the user to a malicious webpage. Clickjacking has become very effective. It is often used to spread through the Facebook links to the malicious websites. Recently, these techniques proved their effectiveness to breach the anonymity of website’s visitors. Also, following a sly link may lead to an attacker that will gain an access to the OAuth data. Let us see how it happens.

Classic application of clickjacking - spreading links through the Facebook

The attacker hides the “Like” or “Share” buttons in a transparent iframe in the classic scenario of clickjacking. This iframe is located above the element of page, which should be clicked by the user; also iframe can follow the mouse cursor. When we click on the element it is redirected to the invisible “Like” or “Share” buttons. Such operations are not limited to the Facebook, the attacker only needs to hide the elements of another website in the iframe.

Below is shown a typical message that can be seen in the net of Facebook, if one of our connections were intercepted by clickjacking:



Following the link of a friend, we get to the video website of YouTube. However, we will not see the “Like” buttons that are shown below on a screenshot:



The “Like” buttons are located where the user usually clicks to watch the video: it is in the middle and in the lower left corner of the window. The victim will not see these buttons, because they are in the invisible transparent iframe. When user runs the video, user clicks the “Like” button increasing the popularity of a website on the Facebook.

New variations of clickjacking techniques

Lin-Shung Huang and Collin Jackson have considered more sly variations of clickjacking in their work Clickjacking Attacks Unresolved. For example, they showed how an attacker can identify a user of malicious website by requesting the information from Facebook.

Here is the demo of video that shows the breach of user’s anonymity. The video shows the “Like” button, which follows the cursor of the victim, but a button would be invisible in a real attack. When the user unintentionally clicks this button, the user will become a friend of attacker on the Facebook.

Next a webpage of attacker will find out through FB.Event.subscribe (‘edge.create’ ...) that the victim clicked the “Like” button, and sends a message to the attacker’s server that receives a list of our friends, and it identifies as a new friend. The server requests the public information of user through Facebook Graph API, and it removes the user from the list of friends.

These operations allow an attacker to gain the public information of user including user’s id. The authors of work demonstrate this attack using the Twitter “Follow” button:



Clickjacking and the timing attacks

Huang and Jackson described the click-timing attack that is called a double clickjacking in which the user is redirected to the authorization in OAuth-providers through the attacker’s request. According to the document, this approach works even if the website has taken such measures against the clickjacking with the iframe like X-Frame-Options.

Though an attacker cannot insert the iframe on such websites, the attacker can download the webpage of OAuth in the pop-under window. The pop-under window hides behind the browser window after opening. Since the browsers have been blocking the pop-up windows that are opened without the user’s interaction, this attack requires a large number of clicks to bypass the pop-up blocker.

We should follow the link Clickjacking Attacks Unresolved in order to see the conceptual code of the double clickjacking.

What is next?

Clickjacking caused and continues to cause a lot of damage. Most of the attacks used the spread of malicious links through the Facebook. But this approach can be used for more tricky scenarios. Huang and Jackson gave the recommendations in their work that will let the developers of websites and browsers to reduce risk of clickjacking. However, these techniques are not perfect. Worst of all, we cannot give the practical advice, which will protect the users.