The recent Facebook clickjacking attack got a lot of publicity, but is clickjacking really a threat that IT security teams have to worry about?
The recent Facebook clickjacking attack from June 2010 did get a lot of publicity and was reported to have infected hundreds of thousands of Facebook users. The more general clickjacking attacks also got significant attention when Jeremiah Grossman and Robert "RSnake" Hansen disclosed them in 2008. The attack worked because Facebook users clicked on links from Facebook that took them to an external website, where they were asked to "like" the website by clicking on a link, which would download and infect their systems with the malware. This would then post the malicious link to the user's Facebook profile, potentially enticing other Facebook users to click on it as well. The malicious external website used an invisible iframe on the webpage so that, when the Facebook user "liked" the website, he or she download the malware by clicking anywhere in the webpage.
Enterprise computers with up-to-date Web browsers are not at significant risk from this sort of clickjacking malware, given that a defense-in-depth strategy, including not having users log in with elevated access, should be used on client computers, preventing a malicious webpage from fully compromising the machine. Unfortunately though, the clickjacking attack could be used in combination with other exploits to bypass the security in place and wreak havoc on a system, depending on what defense-in-depth measures are in place. Current versions of Internet Explorer and Firefox both have protections in place now to prevent clickjacking attacks, but the underlying security vulnerability is complex and may not be completely patched in all browsers and websites.
Danger of Android clickjacking attacks addressed in new research
Dig Deeper on Social media security risks
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Island hopping attacks create enterprise risk by threatening their business affiliates. Here's how to create an incident response plan to mitigate ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.