How to protect yourself from clickjacking

It isn't getting any better out there on the Wild, Wild, Web and now there's an even more sinister criminal tactic that affects every graphical browser in use today; it's called “clickjacking” and it's a nasty one. In fact, unless you're using a text-based browser such as Lynx (it's pretty interesting—check it out), which doesn't rely on the mouse, you're vulnerable.

In Firefox, Internet Explorer, Safari, or Opera, for instance, any click of the mouse could result in your being infected with malware, your bank account being robbed, or other nefarious things; the attacker could even turn on your laptop's built-in microphone and web cam to spy on you. Moreover, the red “X” we're all used to clicking to close a window is now vulnerable to this attack and it probably won't be long before it's exploited (You can close any active window without clicking by using the key combination of Alt-F4. Get into the habit of using it). The good news is, it's relatively easy to protect yourself.

If you're running Firefox—and I certainly hope you are—you need to install No Script. This free, open source add-on will only allow JavaScript, Java, Flash and other plugins to be executed by sites you trust; all scripting is blocked by default. For example, Dave's Computer Tips (DCT) uses JavaScript, so No Script will block (and break) certain things on the site; but you trust DCT, so you can allow scripting for it and No Script will let the features work. The latest version of NoScript has a feature called ClearClick that you can read about here. I don't surf without it, and you shouldn't either.

There are various options available to you when you visit a site. Click the Options button:

(NoScript will not allow taking a screen shot of the menu itself for security reasons; any key press closes the menu, so I'll have to explain.) What you want to do for any trusted site, like Dave's Computer Tips, is click the Options button and select “Allow all this page.” You'll see a bunch of other options, too; there will be entries for ad hosts, tracking sites and the like. You can enable or disable them at will. With a little practice, you'll get a feel for it—it's not complicated. I usually allow everything on sites I trust, but only allow the main site if I've arrived there by clicking a link.

After you install NoScript, you have to disable iFrames. Go into the plugin options and check this box:

For more information about configuring and using the NoScript extension for Firefox please read our How to Configure and Use NoScript article.

Protect yourself from clickjacking in Internet Explorer

In Internet Explorer, you have to go through a bit more to protect yourself. Open IE and go to Tools–>Internet Options and click on the Security tab:

Then, select Internet and Custom level for the security settings:

Set the security level for the Internet Zone to High. This will disable all active scripts, including ActiveX. You'll have to add any sites you trust, such as Dave's Computer Tips to the Trusted Sites zone:

Click on Trusted Sites and Custom level:

Set the security level to “Low:”

This should allow most active content to display properly. To add a site to the Trusted Sites zone, select Trusted Sites and click Sites:

Add Dave's Computer Tips to the Trusted Sites using the wildcard * symbol as shown. Uncheck the “Require server verification…” box:

In the future, any sites you trust can be added in this manner. This should protect you from most clickjacking attacks and it'll make you more secure in general.

Posted in:
About the Author

Ken Harthun

Ken is our resident security expert with years of experience in the field. He can also carry a tune as an accomplished musician. Ken has written for many publications and presently is a contributor to IT Knowledge Exchange.