Recently there’s been a fair bit of coverage of the ‘likejacking’ phenomenon. Just today, in fact, one of my friends fell victim to this mischievous trick and some rather embarrassing content was posted on his social networking site profile without his knowledge or approval. So what exactly is it?
The term ‘likejacking’ is a play on the word ‘clickjacking’, itself a portmanteau of ‘click hijacking’. Clickjacking is not a new technique, but has been hitting headlines as more and more websites now make use of cross-site content. Text, images, or other content generated by one website may be displayed, and interacted with, as part of another.
A specially crafted Web page can contain hidden content that is activated when a user clicks on something that appears to be innocuous: a fake video, an enticing picture, a message to ‘click here to continue’, or the promise of a free gift, for instance. To illustrate how this works, take a look at the following images. The first shows a page that is designed to entice the user into clicking:
The next image shows the same page but with a malicious link included. This link could post malicious or embarrassing content to your profile on social networking sites, perform actions on other sites you’re logged in to, or any other nasty behavior of the attacker’s choosing:
Now, no one but the foolhardy or curious would click the bottom link—and we all know what curiosity did to the poor cat—so let’s make it a bit more difficult for the user to tell what they’re clicking on by including the following HTML snippets in the page (some content removed):
The page now looks like it did in the first screenshot—totally innocuous, with no visible sign of any nastiness—but in the following animated image you can see what's really going on:
The malicious link is floating ‘above’ the page and is set to follow the mouse pointer. This means that wherever on the page the user clicks, he or she is actually clicking on the booby-trapped invisible link.
To prevent these kinds of attacks it’s important to use caution when browsing the Web, but unfortunately this can only go so far, and it’s not really feasible to disable JavaScript altogether because of the key role it plays in today’s Web. Most modern browsers include some form of protection against clickjacking, but attackers are always seeking ways to circumvent these defenses. So, what to do? An excellent strategy is to use a browser add-on such as NoScript, which prevents scripts from running on non-whitelisted sites. Many such add-ons also include features that specifically seek to prevent clickjacking attempts, and can be regularly updated to smack clickjack hack attacks—stat.