Understanding Clickjacking: Why Most Website Owners Need Not Worry

humorous pictogram of stopping clickjacking attacks along with website security shield

The other day, a client reached out concerned about an email they had received that appeared to address a security concern with their website. The email was sent from someone who claimed to be an “Ethical Hacker” and who was involved in “security research.” The subject of the email was VULNERABILITY REPORT : CLICK JACKING and was sent from a gmail address: Arslan Kabeer [email protected]

The email began:

Hi team,

I am a security researcher and freelance ethical hacker and i have discovered the vulnerability in your website

Bug type : UI Redressing
Impact : Phishing

Description :
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

It then contained what the author wrote was a “proof of concept,” and then signed off with:

I hope to receive reward for the responsible disclosure of the vulnerability

waiting for your response

Best Regards
White HaT

Wait a minute….

Understanding Clickjacking: Why Most Website Owners Need Not Worry

Clickjacking, a term that often surfaces in cybersecurity discussions, describes a technique where an attacker tricks a user into clicking on something different from what the user perceives. Typically, this involves embedding a malicious link or an invisible button over a legitimate webpage element. When executed, it can lead to unauthorized actions, such as giving permissions, downloading malware, or divulging sensitive information.

Despite the sinister implications of clickjacking, most website owners don’t need to be overly concerned about it. Here’s why:

Limited Scope and Specific Targets

Clickjacking attacks are often highly targeted. They require substantial effort to design and execute effectively, which means attackers typically reserve these tactics for high-value targets. Banking websites, social media platforms, and other sites where user interactions can lead to significant gain are more likely to be targeted. General informational sites, small business websites, or personal blogs usually do not present lucrative opportunities for attackers. The time and effort required to launch a successful clickjacking attack against these lower-value sites often outweigh the potential benefits for attackers.

Modern Browser Protections

Web browsers have become increasingly sophisticated in their ability to detect and prevent clickjacking attempts. Modern browsers incorporate features such as frame-busting techniques and the Content Security Policy (CSP) directive, which help mitigate the risks of clickjacking. For instance, many browsers support the X-Frame-Options header, which allows web developers to specify whether their pages can be framed by other sites. By setting this header to DENY or SAMEORIGIN, developers can effectively protect their sites against clickjacking. Given that the majority of internet users are on up-to-date browsers, the risk of successful clickjacking is significantly reduced.

Standard Security Practices

Implementing basic security measures can provide robust protection against clickjacking. Website owners who follow standard security practices—such as using secure HTTP headers (X-Frame-Options and Content-Security-Policy), ensuring regular updates and patches, and utilizing HTTPS—can significantly mitigate the risk of clickjacking. These practices not only help in preventing clickjacking but also protect against a myriad of other web vulnerabilities.

Awareness and User Behavior

With increasing awareness about online security threats, users are becoming more cautious about their online interactions. This heightened awareness contributes to the declining effectiveness of clickjacking attacks. Users are more likely to recognize suspicious behavior, such as unexpected pop-ups or invisible elements on a webpage, and refrain from interacting with them. Additionally, many users now rely on browser extensions and security tools that add another layer of protection against such attacks.

Technological Advancements

The rapid advancement in web technologies and security protocols continuously raises the bar for attackers. Techniques that might have been effective a few years ago are often rendered obsolete by new security measures. For example, advancements in machine learning and AI are being leveraged to detect and respond to suspicious activities in real-time, further diminishing the threat of clickjacking. As these technologies become more accessible, even small website owners can benefit from enhanced security without incurring significant costs.

The Cost-Benefit Analysis for Attackers

From an attacker’s perspective, the cost-benefit analysis often discourages clickjacking against most websites. The resources required to research, develop, and execute a clickjacking attack are substantial. When weighed against the potential gains from attacking a low-traffic or low-value site, the return on investment is minimal. Attackers are more likely to focus their efforts on high-reward targets where the potential payoff justifies the investment.

Conclusion

While clickjacking remains a legitimate threat within the broader landscape of web security, it poses a relatively low risk to most website owners. By adhering to standard security practices, leveraging modern browser protections, and staying informed about the latest security trends, website owners can effectively safeguard their sites against this and other web vulnerabilities. The combination of technological advancements, user awareness, and the natural deterrents inherent in the complexity and cost of clickjacking attacks makes it unlikely for most websites to be targeted.

In essence, while vigilance is always recommended, the average website owner can rest assured that clickjacking is not a predominant threat that demands excessive concern or resources. Prioritizing basic security hygiene and staying up-to-date with web security trends will go a long way in ensuring a safe and secure online presence.

However, if you’re still worried, especially after receiving what appears to be a concerning email from a “Security Researcher” and/or “Ethical Hacker,” and you’re running a WordPress website, there is a simple fix.

Open your wp-config.php file and simply add the following lines:

header(‘X-Content-Security-Policy: frame-ancestors https://*.mywebsitedomain.com’);
header(‘Content-Security-Policy: frame-ancestors https://*.mywebsitedomain.com’);
header(‘X-Frame-Options: SAMEORIGIN’);

Of course, replace .mywebsitedomain.com in the above example with your own web domain.

Need some help? Send us an email – [email protected]

Leave a Comment