Click jacking is one of the latest browser-based security threats facing website owners and their visitors. The key term here is browser-based, meaning this one can impact any user irrespective of their browser. Because of this, not even Mac and Linux users are off-limits. Click jacking is an attack that manipulates CSS and iFrames, using them to place invisible content over visible links or buttons. While the technical aspects can be somewhat confusing, the concept of click jacking is quite simple – trick the user into interacting with something other than what they believe they are clicking on. This puts the unknowing end-user in a tough situation, especially when they believe they are clicking on a genuine button on a legitimate site. The most disturbing part of it all is that you can actually be on your financial institution’s website and still be victimized by click jacking.
Click Jacking in Action
Click jacking is a damaging threat that needs to be taken very seriously. Security experts have been considering the concept of demonstrating how unsuspecting users can be compromised. In one example, a simple web-based game was used to control the user’s web cam and also transmit audio and video without the victimized computer ever displaying the warning that asks for permission. Instead, the user’s clicks were hijacked to approve these actions without their knowledge and consent. Aside from manipulating Flash, click jacking can be used to compromise typical web pages as well. Because it runs in a client browser, an attacker can gain access to anything the end-user is logged in to. For example, they could tamper with your MySpace profile, reprogram your router or even interact with your online banking site. The limitation of this attack is that it is reduced to actions that can be performed through clicking. In the new age of computing, that is a considerable amount of power.
Protection Against Click Jacking
Website and server administrators can stop click jacking from the backend of things. End-users have to take other precautions. As of now, one of the best methods of defense is a FireFox plugin called NoScript. This Javascript/Flash blocker is able to provide adequate protection when configured properly. Unfortunately, the default configuration provides little to no protection and leaves you vulnerable to sites that you give permission to use iFrames. In order to configure the plugin, click on the NoScript icon in your FireFox browser, navigate to the “Plugins” tab and check the “Forbid iFrame” option. This will keep you protected from all sites you have not whitelisted as safe.
Researchers and security experts are suggesting that Flash and browser updates will be released to address the growing problem of click jacking. Until then, it would be wise to utilize FireFox equipped with its NoScript plugin for your online banking endeavors. If Mac OS X Leopard is your operating system, you could use the Fluid app to create an application specifically designed for your banking site.
