Clickjacking
The Clickjacking attack was
introduced by Robert Hansen and Jeremy Grossman in September 2008. This attack
constructs a malicious web page to trick the user into performing unintended
clicks that are advantageous for the attacker. Its propagate worms, steal
confidential information passwords, cookies, send spam, delete personal mails,
etc. This is very much attracted a broad attention by the security industry and
the web community. Most websites still have not implemented effective
protection against Clickjacking.
This vulnerability across a variety of
browsers and platforms, a Clickjacking takes the form of embedded code or
script that can execute without the user's knowledge, such as clicking on a
button that appears to perform another function. Clickjacking also known as
user interface redressing is one of Malicious Technique tricking users to click
the button or image that will run hidden malicious script from another site. An
attacker uses multiple transparent or opaque layers to trick a user into
clicking on a button or link on another page when they were intending to click
on the innocuous page. Thus an attacker hijacks the click to another website.
That's why it is known as Clickjacking (Click+Hijacking). The possibilities for
how clickjacking software could be abused are endless.
There are a number of
things that have major Web sites and companies especially alarmed. In some
cases, the user may be able to recognize this immediately; in other cases, the
user may be totally unaware of what took place. First is the fact the program
can run on virtually any Web site without the Web site owner's knowledge or
ability to stop it. Second, clickjacking can take the user to a mirror site
while still making them believe they are on the Web site of the company and
mine personal information, often which is freely given. Third, no browser,
except the very few that are not based on graphics, is immune from clickjacking
software. In addition to stealing personal data, such as bank account
information, credit card information and Social Security numbers, clickjacking
can also install a number of software applications on a computer without the
user's knowledge. This software could be harmful viruses, spyware or adware.
The latter may not be extremely harmful in nature but it often presents a big
problem for computers. Browsers and Internet security software companies are
working on a security patch that would help correct the situation. However,
that may take some time.
No comments:
Post a Comment