How do I protect myself from clickjacking attacks?

Question

I've seen many friends getting clickjacked on Facebook and similar sites.

How does one detect and prevent clickjacking? How should I teach my friends to do the same?

Answer 1

First and foremost, your web browser must be kept updated. So are your plugins and plugin-related applications, especially Java and Flash.

Secondly, it's very recommend to use the ClearClick functionality in NoScript. If you're not planning to block scripts, you can use the relaxed settings, but make sure you enable ClearClick. This feature protects against the vast majority of clickjacking attacks varieties.

Finally, exercise common sense. A website that tells you to click a button to win an iPhone is very likely a scam, so is the website asking you to click a link so you can download a full version of some explicit material (such as videos and pictures with sexual contents). The same goes for the webpage promising you videos of kittens saying silly things.

Answer 2

The NoScript Firefox extension is going to be effective to protect you from clickjacking attacks.

This kind of attack usually requires the attacker to use JavaScript in order to move an iframe under your cursor. Therefore, it has to be executed on a website where the attacker can inject JavaScript. Beware of links to jsfiddle.net or similiar websites, which might already be in your whitelist.

In general (and this should go without saying): Don't follow suspicious links. There are more serious threats than clickjacking attacks on your Facebook account out there, such as CSRF and malware.

Answer 3

The easiest way of guarding against clickjacking is via NoScript. Disable scripts for all pages except ones you trust. In addition, enable ClearClick.

Usually, a site that is trying to clickjack you will ask you to do something in a roundabout fashion, and may involve partially obscured elements that you need to click. For example, one common Facebook clickjack is where they will ask you to enter some random text into a textbox, and then ask you to click a blue square that is partially obscured by other color squares. In this case, the text box is a comment box, and the blue square is the "add comment" button which has its text obscured.

One easy way to check for clickjacking is to view the source of the page and look for any iframes that shouldn't be there.

Answer 4

One approach is to use separate browsers for general browsing and sensitive browsing.

Perhaps you use Chrome for your general browsing. If you open your online banking in a Chrome tab, while you have untrusted sites in other tabs, you are potentially vulnerable to a whole range of web attacks: cross-site scripting, CSRF, clickjacking, etc. Of course, we hope that your online banking will be secure against these attacks. But if you use a separate browser for online banking, you're not relying on the site to protect you.

A related approach is to use one browser, and only have one tab open at once. When you want to do online banking, you close all your tabs, open one tab for online banking, do your online banking, logout, then resume normal browsing. This provides similar protections. However, I think most people would prefer to use two separate browsers.

This does not protect you against malware. You can defend against malware using a similar approach by having one virtual machine for general browsing and a separate VM for sensitive browsing.

Also, this does not protect you against fully server-side vulnerabilities such as SQL injection. There is nothing you can really do about that.