The recent Facebook clickjacking attack got a lot of publicity, but is clickjacking really a threat that IT security...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
teams have to worry about?
The recent Facebook clickjacking attack from June 2010 did get a lot of publicity and was reported to have infected hundreds of thousands of Facebook users. The more general clickjacking attacks also got significant attention when Jeremiah Grossman and Robert "RSnake" Hansen disclosed them in 2008. The attack worked because Facebook users clicked on links from Facebook that took them to an external website, where they were asked to "like" the website by clicking on a link, which would download and infect their systems with the malware. This would then post the malicious link to the user's Facebook profile, potentially enticing other Facebook users to click on it as well. The malicious external website used an invisible iframe on the webpage so that, when the Facebook user "liked" the website, he or she download the malware by clicking anywhere in the webpage.
Enterprise computers with up-to-date Web browsers are not at significant risk from this sort of clickjacking malware, given that a defense-in-depth strategy, including not having users log in with elevated access, should be used on client computers, preventing a malicious webpage from fully compromising the machine. Unfortunately though, the clickjacking attack could be used in combination with other exploits to bypass the security in place and wreak havoc on a system, depending on what defense-in-depth measures are in place. Current versions of Internet Explorer and Firefox both have protections in place now to prevent clickjacking attacks, but the underlying security vulnerability is complex and may not be completely patched in all browsers and websites.
Danger of Android clickjacking attacks addressed in new research
Dig Deeper on Social media security risks and real-time communication security
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.