Clickjacking

 The good news is that clickjacking can be prevented — both by users and website owners. Here’s what you can do. If You’re a Website Owner 1. Add X-Frame-Options This tells browsers whether your site is allowed to be loaded inside an iframe. Using: DENY → no site can embed yours. SAMEORIGIN → only your own domain can embed your pages. 2. Use a Stronger CSP Rule Content Security Policy lets you decide who can load your site in a frame: Content -Security-Policy: frame-ancestors 'self' ; 3. Avoid Putting Sensitive Actions in Frames If a button performs an important function (payment, settings, etc.), keep it outside iframes. If You’re a Regular User Don’t trust shady download/play buttons. Keep your browser updated. Use an ad-blocker or iframe-blocking extension. Don’t click random links from unknown sites. Final Thoughts Clickjacking works because it targets people , not systems. The best defense is awareness — knowing how the trick works mak...

 Let’s break down how attackers actually make clickjacking work. It’s not magic — it’s just clever website layering. Step 1: Create a Normal-Looking Page The attacker designs a page that looks harmless. Something like: “Watch Movie Online” “Click to Claim Reward” “Start Game” These pages are designed to attract clicks. Step 2: Load Another Website in a Hidden Frame The attacker places a transparent iframe over the visible button. This iframe contains the real action, such as: like, subscribe, confirm payment, change settings, or download malware. Step 3: Align the Hidden Button The attacker positions the hidden button exactly where the user will click. Step 4: The User Clicks The victim clicks something innocent. But the hidden frame receives the click instead. One click → unwanted action done. It’s scary how easy this technique is. A few lines of HTML and CSS can hijack someone’s action completely. REFERENCES  How Attackers Set Up a C...

 Clickjacking sounds technical, but you’ve probably come across it already without realizing. Here are some real-world examples that actually happen: 1. The Fake Download Button You click a “Download” button thinking you’ll get a file. But instead, the hidden click starts installing malware. This is super common on free movie or game websites. 2. “Likejacking” on Social Media You try to click on a picture or a video, but behind it there’s a hidden Like button. Your account ends up promoting a page you’ve never heard of. 3. Accidentally Changing Your Settings An attacker loads your account settings page inside a transparent frame. You think you clicked “Next,” but you actually changed something like: making your account public, turning on a paid service, or subscribing to something shady. 4. Hidden Payment Confirmations This one is scary. A hidden frame can trick you into confirming a payment. You click once → money gone. These examples show how clickjackin...

  Have you ever clicked a button on a website and felt something “unexpected” happened? Maybe a random page opened, a weird like was added, or something just didn’t feel right. That’s basically the idea behind clickjacking . Clickjacking is a trick where attackers hide something behind what you actually see on the screen. So when you click a button you think is harmless, you might actually be clicking a completely different hidden button. For example: You see a “Play Video” button. But behind it, there’s a hidden “Share on Facebook” button. You click Play → you actually share something publicly without knowing. Clickjacking works because the user interface (UI) can be manipulated. Attackers use things like transparent layers, invisible iframes, and CSS tricks to hide the real action. It’s simple. It’s sneaky. And it’s surprisingly effective. REFERENCES Clickjacking – What It Really Is and Why You Should Care OWASP Foundation. Clickjacking . https://owasp.org/www-comm...

  Case Study 1: Social Media LikeJacking Scam Background A popular social media platform saw a sudden increase in suspicious “Likes” on random pages. Users complained that they never clicked “Like,” yet their profile was promoting unknown pages. What Happened Attackers created a website offering “Watch Free Movies.” A big orange Play button appeared on the page. But behind that button, a hidden Facebook Like button was placed using a transparent iframe. When users clicked Play → they unknowingly liked a spam page. Impact Thousands of users unknowingly boosted fake pages The spam pages gained followers quickly Those pages later spread phishing and scam links Lesson Simple UI manipulation can trick even experienced users. Social media platforms must ensure critical actions (like, share, follow) cannot be executed inside frames. Case Study 2: Online Banking Clickjacking Fraud Background A regional bank noticed several customers reporting unauthorized fund tra...

 As we reach the end of this blog, one thing becomes clear: clickjacking is not a complicated attack—but it is a powerful one. It doesn’t need advanced coding or deep hacking skills. All it takes is a hidden frame, a fake button, and a single careless click. And because almost everyone uses the internet daily, anyone can become a victim without realizing it. Throughout the posts, we saw how clickjacking works, the real examples happening online, how attackers build these tricks, and how easily a person can lose control of their actions with one simple click. From social media likes to financial transfers, the risks are real and often invisible. The good news is that awareness changes everything. Once you know what clickjacking is, you automatically become more careful about where you click, what sites you trust, and how you interact with online content. Website owners can also strengthen their pages with simple security headers like X-Frame-Options and CSP to protect users fro...