Clickjacking: The Button You Didn’t Mean to Click
Analogy
Imagine you're trying to press the "Submit" button on a scholarship form, but someone placed a transparent glass over it — and on their side of the glass, they drew a fake "Claim Prize" button. You think you're clicking your form, but you're really giving them access to your bank account.
That’s clickjacking — tricking you into clicking something you can’t see.
What is Clickjacking?
Clickjacking (a.k.a. UI Redressing) is a type of attack where a malicious site hides or overlays elements from a legitimate site inside invisible frames or layers.
It tricks users into unknowingly clicking on buttons, links, or UI elements — usually to perform sensitive actions like:
Liking a social media page
Changing account settings
Making a financial transaction
Giving camera/microphone permissions
The key: The user thinks they’re clicking on one thing, but the click is hijacked and used elsewhere.
How Clickjacking Works (Step-by-Step)
1. Attacker Builds a Malicious Page
They create a website that looks innocent — a quiz, a free gift, a video, etc.
2. They Embed the Target Website (via iframe)
The attacker uses HTML to embed the legitimate website inside an <iframe>, like this:
<iframe src="https://targetsite.com/profile-settings" style="opacity: 0; position: absolute; z-index: 999;"></iframe>
They set it to:
opacity: 0→ completely invisibleposition: absolute→ place it exactly over a visible buttonz-index: high→ ensure it stays above everything
3. They Trick You into Clicking
The user sees a visible “Click Me” button or fun game on screen. But behind it (in the invisible iframe) is a button from another site — like “Delete Account” or “Make Payment.”
When the user clicks what they see, they’re actually clicking what they don’t see — the attacker’s intended target.
4. Action Is Performed — Without User Realizing
The target website processes the click as valid:
You liked someone’s page
You changed your settings
You sent money
All without your informed consent.
Variants of Clickjacking
Likejacking: Tricks user into “liking” something on social media
Cursorjacking: Moves the visible cursor away from the actual click point
File upload jacking: Tricks users into uploading sensitive files
Permission jacking: Hides prompts like “Allow camera” or “Enable mic” behind fake UI
How to Defend Against Clickjacking
For Developers / Site Owners:
Use
X-Frame-OptionsheaderX-Frame-Options: DENYPrevents your site from being embedded in an iframe.
Use Content Security Policy (CSP):
Content-Security-Policy: frame-ancestors 'none';Gives stricter control over which origins can embed your content.
Framebusting Scripts (less preferred now):
JavaScript to detect if the site is loaded in an iframe and then break out of it.
For Users:
Use modern browsers that respect clickjacking protections.
Disable JavaScript or iframes on suspicious sites (via plugins like NoScript).
Avoid interacting with shady quizzes, popups, giveaways.
Use browser extensions that alert you if iframes or redressing behavior is detected.
TL;DR
Clickjacking tricks you into clicking something invisible.
It often uses iframes, opacity, and CSS positioning.
The attack is silent, effective, and hard to spot visually.
Web developers must implement headers to prevent their sites from being abused.
I thought I was clicking “Submit.” Turns out I just donated my kidney and liked someone's crypto scam page : )
