Skip to content

What is Clickjacking? How does it work and harm your device?

  • by
  • 5 min read

Clickjacking, also known as user-interface/UI redressing or iframe overlay, is an attack where a hacker tricks a user into clicking buttons or URLs, beneath which harmful codes are present. By clicking on the link, users unknowingly download malicious software, visit dangerous websites, provide sensitive information, among other adverse effects.

Robert Hansen and Jeremiah Grossman were the first researchers to identify clickjacking in 2008. Since then, many websites and browsers have recognised the problem and have put mechanisms in place to fight it.

How does clickjacking work?

A hacker embeds an invisible iframe under a clickable component. When a user clicks on the component, instead of (or in addition to) performing the desired action, hacker’s iframe runs on the device. An iframe (inline frame) is an HTML document that is inserted inside another HTML document. Think of it as a new browser window packed inside the web page. Hackers plant malicious codes in these iframes, and wait for the user to click on the component.

Hackers use various approaches to make clickjacking work. Some of them are listed below.

  • By highjacking the website and inserting the malicious code on the page directly, for example, Cross-Site Scripting (XSS) attacks.
  • By setting up an entirely new fake website (goalkeeping website) with an attractive name. When users visit the site and click on the links, a new malware-laden webpage might open. However, this requires that the hacker has access to the resources required for hosting websites.
  • By inserting an inframe above the social media site components. For instance, a hacker can add the codes above the like button on Facebook platform. Similarly, hackers can insert malicious codes on different platforms, also.
  • By inserting the code underneath the mouse cursor. This means that the script will run whenever the user clicks.
  • By making the iframe visible and disguising it as a legit part of the page (UI redressing).
  • By changing the JavaScript to change the position of the mouse pointer to make the user click unwanted tags (pointer integrity attacks). Similar to this is temporal attacks, where users get little time to decide, and there is a high chance of them clicking on unwanted links.
  • By posting malicious links on social media platforms like Facebook and Twitter. Users, consumed by interest, click on the links. Here, hackers use social engineering along with clickjacking. The links can also prompt users to install additional software or plugins which, needless to say, are harmful.

Also read: What is Adware? 5 ways it harms your device and 8 ways to tackle it

How can clickjacking harm the device?

Hacking Android: How your phone can be compromised by a rogue app

It entirely depends on the attacker. Hackers use clickjacking for purposes ranging from stealing Facebook likes to luring the user into giving personal information. They can also use clickjacking to perform other kinds of attacks on the device. As mentioned above, in many cases, it is impossible for the users even to detect the attack. It is worth mentioning that in clickjacking, hackers take advantage of users thirst for knowledge and human weaknesses to further their agendas.

By clickjacking, hackers can harm the device in a host of ways; some of them are as follows:

  • Stealing passwords and other confidential information.
  • Luring to the users to make unwanted purchases.
  • Downloading malware on the device.
  • Stealing the user’s history and preferences.
  • Unauthorised financial transfers,
  • Performing various other attacks like XSS attack, phishing, depending on hacker’s agenda.

Also read: What is a Spyware and ways to counter it

How to prevent clickjacking attacks?

A host of measures are proposed to counter clickjacking. Some of the methods are given below.

  • One way is to design the website in such a way that every time there is a click; a confirmation window must open. In this way, users can assess whether the click was for the particular process they want, or not. Users can also report suspicious clicks.
  • Another way is to change the website interface at regular intervals.
  • One defence mechanism is fame busting. In fame busting, the browser uses the Javascript to check whether the page is at the top-level in the browser window or not. If this is not the case, then the script will remove the page. In addition to this, browsers use new HTTP headers (like X-FRAME-OPTIONS by Internet Explorer 8) to implement fame busting.
  • Additionally, visibility detection on click can also be used. This technique can block clicks entirely if the browser detects that the clicks also contain an invisible click. However, the utility of this technique is limited, as this visibility detection has to be added to a specific component.
  • HTML 5 provides a better solution to the problem. The servers will run in HTML 5 sandbox, which will prevent the JavaScript from running on the server. For now, this technique can be implemented in Chrome and Safari.

Also read: What is Email Spoofing and 9 ways to protect yourself

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: