While the idea of clickjacking isn’t new at all, I’m only just starting to get into the details of it – and by the looks if it, it’s absolutely brilliant. In fact, I’m surprised it hasn’t been done before.
Here’s an example given by the ThreatExpert Blog.
When user has an active online banking session, any particular transaction means particular controls clicked in a particular order. An attacker can make a guess that his victim is currently logged on, and thus, sends an instant message to the victim with an invitation to click a link to the attacker’s own website.
The forged website will try to conceal the online banking website (with the victim currently logged on as the previous session was not terminated) inside an invisible frame, as shown on the picture below.
Click-Jacking
Any clicks submitted by the victim to the forged website will eventually be handled by the transparent (but still active) frame. In the example above, the victim may unintentionally add a new login name to his/her account that could now be used by the attacker.
So far, the danger of clickjacking remains purely hypothetical and there are no confirmed cases of malicious clickjacking “in-the-wild”.
Now here’s what struck me as odd; iFrames have been around of several years now, as well as transparancy and overlay’s. Why has this only recently become an issue?
Pingback: ‘We’ll Solve Clickjacking By 2017′ ~ Mattias Geniar