Fact Checked

What is Clickjacking?

Ken Black
Ken Black

Clickjacking is a malicious software form that can seemingly take control of the links that an Internet browser displays for various Web pages. Once that takes place, and once a user tries to click on that link, the user is taken to a site that is unintended. In some cases, the user may be able to recognize this immediately; in other cases, the user may be totally unaware of what took place.

Clickjacking occurs when a malicious program is embedded into a Web site. This program hovers under the user's mouse, according to Jeremiah Grossman, a security researcher dealing with Internet issues. Once the user clicks, usually on a link but it can be anywhere on the page, a new Web site may appear or software may be downloaded and clickjacking has occurred.

Clickjacking occurs when a malicious program is embedded into a Web site.
Clickjacking occurs when a malicious program is embedded into a Web site.

The possibilities for how clickjacking software could be abused are endless. There are a number of things that have major Web sites and companies especially alarmed. First is the fact the program can run on virtually any Web site without the Web site owner's knowledge or ability to stop it. Second, clickjacking can take the user to a mirror site while still making them believe they are on the Web site of the company and mine personal information, often which is freely given. Third, no browser, except the very few that are not based on graphics, is immune from clickjacking software.

In addition to stealing personal data, such as bank account information, credit card information and Social Security numbers, clickjacking can also install a number of software applications on a computer without the user's knowledge. This software could be harmful viruses, spyware or adware. The latter may not be extremely harmful in nature but it often presents a big problem for computers.

Details on how clickjacking works, other than the basic information already listed, are being closely guarded. Browsers and Internet security software companies are working on a security patch that would help correct the situation. However, that may take some time.

Other than using a text-based browser, such as Lynx™, there is not much that can be done at this point. Those employing some sort of a solution will find the Internet browsing will become far different than what they used to. There are applications, such as NoScript™, that can block Java and script applications from running on a browser, but this would render some Web sites virtually useless.

You might also Like

Discussion Comments


Out of curiosity, I was wondering how to clickjack, and how difficult it really is. I don’t know a great deal about computers. I’m more likely to be the person who is a victim of something like this.

The individual who is perpetrating a clickjacking, if you will, seems to have many ways to do this. I was surprised that someone could embed an invisible link underneath a button to take over the link and send the user to a different site completely.

I am concerned enough about all the ways I can accidentally cause my computer to self-destruct. I certainly don’t need help from some virus or spyware. And, I really don’t want my personal information stolen! I hope there is a good fix for this soon.


You can find articles with clickjacking examples by doing a quick search. Hopefully we can arm ourselves against these attacks as much as possible until there are better ways to get rid of them all together.

Even worse than the ‘like’ buttons on Facebook are the ‘flattr’ micropayment buttons being used on other sites. A user can incorporate a ‘flattr’ button on their page to be given a monetary reward by someone who likes their site.

These are being used by clickjackers to get the payments themselves. There is no way to reverse the ‘flattr’, so you are stuck with it if you get clickjacked.


This is a completely new threat for me. I knew to be aware of things like Trojans, and phishing, and the like. But clickjacking? I have never heard of it before now. I know a lot of us use social networking sites.

I just read that clickjacking attacks are being done with Facebook’s ‘like’ buttons. I don’t want to click on anything! The people behind these clickjacking attacks are pretty sneaky. The best advice I have read so far is to be leery of any posts that seem out of character for your social network friends. Hopefully as this information becomes more widespread, there will be a quick end to clickjacking.

Post your comments
Forgot password?
    • Clickjacking occurs when a malicious program is embedded into a Web site.
      By: tashka2000
      Clickjacking occurs when a malicious program is embedded into a Web site.