“Clickjacking,” or hijacking your clicks—what’s this new threat all about? Computerworld’s Gregg Keizer (via Macworld) discusses this with “Robert Hansen, founder and chief executive of SecTheory LLC, and one of the two researchers who discussed the bug in a semi-closed session at OWASP AppSec 2008 on Wednesday.” Hansen explains that clickjacking is simply a way to add invisible buttons to web pages, that overlay real buttons, and when you click them, something unexpected happens.
Hansen gave an example: “Say you have a home wireless router that you had authenticated prior to going to a [legitimate] Web site. [The attacker] could place a tag under your mouse that frames in a single button an order to the router to, for example, delete all firewall rules. That would give them an advantage in an attack.”