The recent Facebook clickjacking attack got a lot of publicity, but is clickjacking really a threat that IT security...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
teams have to worry about?
The recent Facebook clickjacking attack from June 2010 did get a lot of publicity and was reported to have infected hundreds of thousands of Facebook users. The more general clickjacking attacks also got significant attention when Jeremiah Grossman and Robert "RSnake" Hansen disclosed them in 2008. The attack worked because Facebook users clicked on links from Facebook that took them to an external website, where they were asked to "like" the website by clicking on a link, which would download and infect their systems with the malware. This would then post the malicious link to the user's Facebook profile, potentially enticing other Facebook users to click on it as well. The malicious external website used an invisible iframe on the webpage so that, when the Facebook user "liked" the website, he or she download the malware by clicking anywhere in the webpage.
Enterprise computers with up-to-date Web browsers are not at significant risk from this sort of clickjacking malware, given that a defense-in-depth strategy, including not having users log in with elevated access, should be used on client computers, preventing a malicious webpage from fully compromising the machine. Unfortunately though, the clickjacking attack could be used in combination with other exploits to bypass the security in place and wreak havoc on a system, depending on what defense-in-depth measures are in place. Current versions of Internet Explorer and Firefox both have protections in place now to prevent clickjacking attacks, but the underlying security vulnerability is complex and may not be completely patched in all browsers and websites.
Danger of Android clickjacking attacks addressed in new research
Dig Deeper on Social media security risks and real-time communication security
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.