Clickjacking was described in a 2008 report by two researchers, Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security. They showed how malicious user-interface overlays, typically invisible browser frames that capture a user’s actions, could lead victims to believe they are interacting with one Web page, when in reality their clicks are being captured by a completely different page. The users do not have to have their computers infected with a virus or Trojan. They just have to go to a website that displays content–such as a Flash advertisement–controlled by the attacker.
Browser makers could block the problem by preventing Web pages from accessing other domains. But that would break a lot of features used for legitimate purposes, including advertising. Instead, browser makers have given website developers the ability to allow programming scripts to run only if they come from approved external sites.
Developers also can run “frame-busting” code to prevent a website from creating an invisible frame to display another page. But while some websites have implemented such defenses to prevent clickjacking, sites created specifically for mobile devices rarely have the defenses. The Stanford researchers found frame-busting code on one out of every seven sites that appear in Alexa’s count of the Web’s 500 most popular sites. More than half of Alexa’s top 500 have a specific portal for mobile devices, but only two of those mobile sites had the frame-busting defenses.
“Mobile website security should be taken as seriously as nonmobile website security–otherwise, bad things can happen,” Bursztein says.
In addition to the standard exploits of clickjacking, tapjacking could also enable an attacker to grab the credentials of the user’s home wireless network. From there, an attacker could determine the physical location of the wireless network as well. The technique would be relatively straightforward on phones, says Craig Heffner, a security consultant who presented on home router issues at the recent Black Hat conference.