Clickjacking attacks were originally described by Robert Hansen and Jeremiah Grossman in 2008. In these attacks, the attacker tricks the user into interacting with a malicious web page, but routes the user’s input to another web page that would result in undesirable consequences. A commonly used technique is to embed the targeted web page with a completely transparent IFRAME and lure the user to click on it unintentionally. The current solution for web pages to protect themselves is using JavaScript framekillers or the browser-enforced X-Frame-Options to opt out of being framed. However, popular web applications nowadays provide widgets (or social plugins, e.g. Facebook Like buttons) that are designed to be embedded by third party websites. It should be noted that previous solutions do not offer any protection for these widgets.

We would like to share a white paper of our ongoing clickjacking research and some demos by CyLab researchers David Huang and Collin Jackson at Carnegie Mellon Silicon Valley. In our white paper, we describe a practical de-anonymization attack on social network users, based on Likejacking. We also introduce a new type of click timing attack called double-clickjacking that can bypass current defenses and steal the user’s data from popular OAuth service providers. We would like to make clear that IFRAME-based defenses are ineffective. Moreover, clickjacking is not all about IFRAMEs.

White paper: Clickjacking Attacks Unresolved