How to Protect Yourself From Clickjacking Attacks

Keeping an eye out for an invisible enemy.

Woman's hand at computer mouse
Holger Winkler/Fuse/Getty Images

They can't be seen, they can't be reasoned with, and they want to jack your clicks. Clickjackers have been around since about 2008 but they are getting a lot more press lately thanks to a new wave of Clickjacking attacks perpetrated against Facebook users.

What is Clickjacking?

Clickjacking may sound like the latest underground dance craze, but it's far from it. Clickjacking occurs when a scam artist or other internet-based bad guy places an invisible button or other user interface element over top of a seemingly innocent web page button or interface element using a transparency layer (which you can't see).

The innocent web page might have a button which reads: "Click here to see a video of a fluffy kitty being cute and adorable", but hidden on top of that button is an invisible button that is actually a link to something that you would not otherwise want to click on, such as a button that:

  • Tricks you into changing privacy settings on your Facebook account
  • Tricks you into "liking" something you wouldn't normally like (a.k.a Likejacking)
  • Tricks you into adding yourself as a Twitter follower for someone who doesn't deserve you
  • Tricks you into enabling something on your computer (such as a microphone or camera)
  • Tricks you into running into a crowded theater and shouting "Shih Tzu" at the top of your lungs. (ok, ok, I added this last one just to see if you were still paying attention).

Many times the Clickjacker will load up a legitimate website in a frame and then overlay their invisible buttons on top of the real site.

How Can You Prevent Your Clicks From Being Clickjacked?

1. Update your Internet browser and plug-ins such as Flash

If you haven't updated your browser to the latest and greatest version available, then you are not only missing out on an upgrade that might possibly prevent you from getting Clickjacked, but you are also not taking advantage of the other security updates that are part of newer versions of Firefox, IE, Chrome and other Internet browsers.

Update your browser to to latest possible patch version available. It's also a good idea to check to see if there is a more up-to-date version of your browser than the one you currently have installed.

You should also update browser plug-ins such as Flash because some older versions may be vulnerable to Clickjacking attacks. To update browser plug-ins, visit the website of each plug-in maker and download the latest version. For example, to update flash visit Adobe's Flash site.

For more information on how to keep your computer up to date, check out our article: How to Keep up With The Latest Security Vulnerabilities and Patches

Here are some other great browser security-related articles:

2. Download Clickjacking Detection / Prevention Software

While some Internet browsers offer limited built-in Clickjacking protection, there are several robust Clickjacking detection/prevention plug-ins that are available for browsers such as Firefox. Several of them are even free. Here are a couple of the more widely known and respected ones:

  • NoScript - A free (donation-ware) anti-clickjacking plug-in for Firefox.
  • Comitari Web Protection Suite-Home LE (Limited Edition) - A feature-limited free version of the Comitari Web Protection Suite. The LE version includes Clickjacking protection features.

    Clickjacking prevention is not only the responsibility of the user. Websites and web application developers also have a role in preventing their content from being exploited by Clickjackers

    With better education for users on the dangers of Clickjacking, how to recognize attacks, and what to do about them, coupled with the support of website and web application developers in coding to prevent Clickjacking, maybe the world will be free of Clickjackers one day.