Clickjacking: What Is It, and How Can You Avoid It?

Dann Albright 26-05-2016

When it comes to ways that hackers and malware distributors gain access to your computer, there are some things that get talked about a lot: social engineering What Is Social Engineering? [MakeUseOf Explains] You can install the industry’s strongest and most expensive firewall. You can educate employees about basic security procedures and the importance of choosing strong passwords. You can even lock-down the server room - but how... Read More , SQL injection What Is An SQL Injection? [MakeUseOf Explains] The world of Internet security is plagued with open ports, backdoors, security holes, Trojans, worms, firewall vulnerabilities and a slew of other issues that keep us all on our toes every day. For private users,... Read More , DDoS attacks What Is a DDoS Attack? [MakeUseOf Explains] The term DDoS whistles past whenever cyber-activism rears up its head en-masse. These kind of attacks make international headlines because of multiple reasons. The issues that jumpstart those DDoS attacks are often controversial or highly... Read More , and so on. But one attack that doesn’t get talked about as much that’s just as nefarious as the others is clickjacking.


Clickjacking is difficult to detect, can affect just about anyone, and is spread across a wide variety of operating systems and applications. Here’s what you need to know about clickjacking, including what it is, where you’ll see it, and how to protect yourself against it.

What Is Clickjacking?

As you might have gathered from the name, clickjacking is the process of hijacking a user’s click on a computer (it can also be used to hijack keystrokes, but “keystrokejacking” is a whole lot harder to say). There are a number of ways that this process can take place, but they all have one thing in common: a user thinks they’re clicking on one thing, when in reality, they’re clicking on something else.

Many clickjacking attacks include a transparent user interface placed over another interface that the user is expecting to see (which is why “UI redressing” is another name for this method). Then, when that user thinks they’re clicking on something, they’re actually clicking on something else that they can’t see. You might think you’re clicking on a link that will sign you up for a cool newsletter Learn Something New With 10 Worth-It Email Newsletters You will be surprised at the quality of newsletters today. They are making a comeback. Subscribe to these ten fantastic newsletters and find out why. Read More , when you’re actually clicking a button that gives a cybercriminal access to your email account, for example.

Another type of attack changes the actual position of the user’s cursor, but leaves the display untouched, so that the cursor looks like it’s in one place, but is actually in another. Sounds like it would just be a big annoyance, but it can be used to get people to click on things that give away sensitive information 10 Pieces of Information That Are Used to Steal Your Identity Identity theft can be costly. Here are the 10 pieces of information you need to protect so your identity isn't stolen. Read More .

Some other creative attacks fall under the umbrella of clickjacking, too. For example, a recent attack used a piece of malware to redirect users’ searches on Bing, Google, and Yahoo to customized (and fraudulent) results pages that were full of Google-AdSense-powered ads. Users would click on the ads, thinking they were legitimate search results, and the attackers would get paid.



Some people even include social-engineering-type attacks in clickjacking; for example, back in 2009, a tweet was going around Twitter that said “Don’t Click” and included a link. Whenever someone clicked on the link, the same thing would be tweeted from their account. Similar techniques Five Facebook Threats That Can Infect Your PC, And How They Work Read More have been used to spread money-generating links on Facebook.

Clickjacking isn’t just limited to websites and apps in which users have a mouse, though; it can also happen on mobile devices. One recent example is Android.Lockdroid.E, a piece of Android ransomware Malware on Android: The 5 Types You Really Need to Know About Malware can affect mobile as well as desktop devices. But don't be afraid: a bit of knowledge and the right precautions can protect you from threats like ransomware and sextortion scams. Read More that used clickjacking (or “touchjacking,” if you prefer) to gain administrative rights to the target device. And we’ve recently heard about the Accessibility Clickjacking vulnerability on Android How Android Accessibility Services Can Be Used to Hack Your Phone Various security vulnerabilities have been found in Android's Accessibility suite. But what is this software even used for? Read More smartphones and tablets.

What You Can Do to Prevent Clickjacking

Unfortunately, there’s not a whole lot you can do to prevent clickjacking unless you’re a website administrator. By far the most commonly recommended method of protecting yourself while you’re browsing is to use NoScript, the Firefox add-on that prevents scripts from loading without specific authorization from you. NoScript has some specifically anti-clickjacking features, and is really good at detecting the kinds of scripts that create transparent overlays on websites.



Any similar extensions that you can use to prevent scripts or apps from loading Control Your Web Content: Essential Extensions to Block Tracking and Scripts The truth is, there is always someone or something monitoring your Internet activity and content. Ultimately, the less information we let these groups have the safer we'll be. Read More will also provide some protection.

The best defenses against clickjacking, however, need to come from site admins. Many of the defenses are rather technical, and if you want to find out exactly how to implement them, I recommend checking out the Clickjacking Defense Cheat Sheet from OWASP.

One of the best ways to go about preventing clickjacking on your site it to include an x-frame-options HTTP header that prevents your site’s content from being loaded in a frame (<frame> tag) or iframe (<iframe> tag). Because these are often used as attack vectors — not just for clickjacking, but for other threats as well — this is an effective way of mitigating the threat.



Preventing cross-site scripting What's Cross-Site Scripting (XSS), & Why It Is A Security Threat Cross-site scripting vulnerabilities are the biggest website security problem today. Studies have found they’re shockingly common – 55% of websites contained XSS vulnerabilities in 2011, according to White Hat Security’s latest report, released in June... Read More (XSS) will also help reduce the chances of a clickjacking attack on a site. Because XSS is also used for other attacks, it’s a good idea to protect against it anyway.

To minimize the likelihood of a clickjacking attack on your mobile device, you may want to restrict yourself to only downloading apps from trusted sources, like the Apple App Store or the Google Play Store. While this isn’t a guarantee that you’ll be free from attacks, these apps are considerably less likely to include malicious code than those you get from a third-party source.

You can also avoid using in-app browsers, as this is a common place for touchjacking attacks to occur. Set the default behavior for link-opening in your apps to open in the system browser, instead of the in-app browser, and you’ll eliminate one more potential weakness in your defense.


A Real Threat

As mentioned before, clickjacking sounds like more of an annoyance than a real threat to your security, but if it’s used effectively, it can help attackers steal some very important information or gain access to your online accounts, where they could do serious damage.

And while most of the defense has to come from behind the scenes, you can use script-blocking extensions to prevent most of these attacks — if you’re okay with using these kinds of add-ons, as they’re a bit controversial AdBlock, NoScript & Ghostery - The Trifecta Of Evil Over the past few months, I've been contacted by a good number of readers who have had problems downloading our guides, or why they can't see the login buttons or comments not loading; and in... Read More .

Do you know of any examples of large-scale clickjacking attacks, or have you been the victim of one of these attacks? Do you use NoScript or deploy any defenses on your own website? Share your thoughts below!

Image credit: Mozilla.

Related topics: Clickjacking, Hacking, Online Security.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. 8ctopus
    April 22, 2020 at 4:24 am

    Great article which makes it immediately clear what clickjacking actually is.

  2. Anonymous
    August 18, 2016 at 8:22 pm

    Windows Help-desk customer service phone number +1–844–445-4480 this is for united states for other countries you may also contact through skype and by this number

    Microsoft Northern California District

    555 California, Suite 200
    San Francisco, CA 94104
    Phone:(844) 445-4480
    Fax:(415) 896-1458

  3. Lakes
    May 30, 2016 at 11:05 pm

    @ Dann Here is a screen capture of the warning I get when clicking on the embedded you video here.
    Always get this on any video embedded here.

  4. Lakes
    May 29, 2016 at 4:53 am

    I have noscript installed, and clicking on a embedded youtube vidoe video here give me a clickjack warning!! :)

    I click on the "sharelink" url instead.

    (I had to enable scripts to post this comment.)

    • Dann Albright
      May 30, 2016 at 1:41 pm

      Really? That's strange . . . I haven't seen any warnings like that when I've been looking through the article. Does it still say that?

  5. Anonymous
    May 29, 2016 at 12:19 am

    I think I may have had this happen in the Google Search Results.

    It usually happens in relation to searching for a product that might be on eBay. A search result link is provided to look like eBay. The funny part is that when you click the link it always shows a page of jewelry on an eBay like page. I've never searched for jewelry when this search result is presented but I get this same page over and over using Google Search results for different items.

    I'm not sure if it's something messing with my eBay account similar to when people use to change your home page in your browser and you'd scratch your head for a couple days and then realize that something had changed your browser's settings. Or it's a manipulated search result?

    Any ideas on identifying the problem next time it happens?

    • Dann Albright
      May 30, 2016 at 1:41 pm

      Hm, that's weird. It definitely could be a clickjacking attack; some malware can present you with fake Google results pages, so you could have a case of that. My best advice is to run a full virus scan and use Malware Bytes' anti-malware package to see if you're infected with anything.

      • Anonymous
        May 30, 2016 at 11:58 pm

        I'll give it a shot and see if anything gets uncovered.

  6. Yash Saradva
    May 27, 2016 at 2:46 pm

    Thanks for sharing a valuable topic of hacking. I was unaware of it, Now I will tell my friends about this topic.

    • Dann Albright
      May 30, 2016 at 1:40 pm

      You're welcome! I think a lot of people don't know about it, but it can be a pretty annoying attack vector. Spread the word!

  7. Robert
    May 27, 2016 at 5:03 am

    You piece of shit. Go and find something meaning to do!

    • Anonymous
      May 27, 2016 at 10:55 am

      With A Little More Tweaking, The Comments Automatic Moderator Trigger, Already In Place, Could Avoid This Specific Scum.

      The New Few Rules Would Be Simple To Implement, And A MUO Editor Is Aware Of Them, Already.

      Lets Hope The Tweaking Does Not Take Too Long.


  8. Fritz
    May 26, 2016 at 10:46 pm

    Sally you are a piece of garbage for laying your stupid ad in here.

  9. me
    May 26, 2016 at 2:29 pm

    ublock origin