Thursday, November 13, 2008

How Serious is the Clickjacking Threat?

Learn More About Clickjacking

Tech news sites such as ZDnet have reported that clickjacking is a potentially serious threat that can affect any browser.

A Look at Clickjacking

In laymen's terms, clickjacking happens when a malicious page is hiding behind what appears to be a safe webpage.   When you click on an item, your computer is "clickjacked" by the malicious code, which then hijacks various components of your computer.  This occurs without your knowledge.

Generally, webcams are hijacked, but clickjacking is not limited to affecting a cam. For instance, your sound system or microphone can be exploited, or your PC can be taken over in other ways.

Particularly vulnerable to clickjacking was Adobe's Flash Player, but Adobe has issued a fix that addresses the issue.

What Browsers are Safe?

Clickjacking is a cross-browser threat, meaning that the malicious code can affect Internet Explorer, Firefox, Chrome or any other Internet borwser. Merely disabling javascript will not fix it.

The only known solution is a "No Script" add-on that works with Firefox.

Problems with the Clickjacking Fix

After using No Script for a week or so, I disabled it because it made web surfing a chore. Every site I visited was blocked to some degree because of YouTube videos, javascript coding or ads installed on the page.  For instance, the following were all blocked by No Script:

  • Google Analytics
  • Pepperjam network
  • Peelaway Ads
  • Voxant's newsroom
  • Chitika
  • and many, many more (see the partial list of affiliate programs and other utilities blocked by No Script).

One of the few ad networks automatically whitelisted by the No Script add-on is Google's Adsense. Most of the others will need to be manually approved, and it is unlikely that the average Internet user will know that an ad is safe enough to whitelist.

If clickjacking is truly the threat that some would say that it is, and if solutions such as No Script are the only way to fight back, I can see that this situation will kill online advertising.   Even the big boys' ads, such as those delivered by Adserver Plus, were blocked by the Firefox add-on.

Conclusion:  Maybe the Threat is Overrated

My web browsing experience is back up to speed since I've disabled No Script and so far I haven't been hit by any type of clickjacking activities.   Perhaps the threat is more overrated than it actually is.

The NotGuru blog has posted some videos that show exactly how clickjacking works and how to install fixes.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)