Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Clickjacking was described in a 2008 report by two researchers, Robert Hansen of SecTheory and Jeremiah Grossman of WhiteHat Security. They showed how malicious user-interface overlays, typically invisible browser frames that capture a user’s actions, could lead victims to believe they are interacting with one Web page, when in reality their clicks are being captured by a completely different page. The users do not have to have their computers infected with a virus or Trojan. They just have to go to a website that displays content–such as a Flash advertisement–controlled by the attacker.

Browser makers could block the problem by preventing Web pages from accessing other domains. But that would break a lot of features used for legitimate purposes, including advertising. Instead, browser makers have given website developers the ability to allow programming scripts to run only if they come from approved external sites.

Developers also can run “frame-busting” code to prevent a website from creating an invisible frame to display another page. But while some websites have implemented such defenses to prevent clickjacking, sites created specifically for mobile devices rarely have the defenses. The Stanford researchers found frame-busting code on one out of every seven sites that appear in Alexa’s count of the Web’s 500 most popular sites. More than half of Alexa’s top 500 have a specific portal for mobile devices, but only two of those mobile sites had the frame-busting defenses.

“Mobile website security should be taken as seriously as nonmobile website security–otherwise, bad things can happen,” Bursztein says.

In addition to the standard exploits of clickjacking, tapjacking could also enable an attacker to grab the credentials of the user’s home wireless network. From there, an attacker could determine the physical location of the wireless network as well. The technique would be relatively straightforward on phones, says Craig Heffner, a security consultant who presented on home router issues at the recent Black Hat conference.

2 comments. Share your thoughts »

Tagged: Communications, security, mobile devices, mobile security

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me