Intro: Why Clickjacking matters
Clickjacking is a vulnerability that is often underestimated, despite Clickjacking potentially affecting the confidentiality, integrity, and availability of the application to a high degree.
The impact of a successful attack can be privilege escalation (eg changing permissions from regular user to full admin), weakening of security mechanisms (eg disabling 2FA), deletion of data, or making data publicly accessible.
I have previously shown that it is even possible to control text input via Clickjacking (at least in Firefox), giving Clickjacking (almost) the full power of CSRF.
But compared to CSRF, Clickjacking requires more user interaction than simply visiting an attacker-controlled page. For simple one-click attacks such as like-stealing, this is negligible, but for multi-click attacks (eg checking the “is admin” box, followed by a click on “save”), this seems to prevent real-world exploitation. Who is going to click 5 times in exactly the right position? Nobody.
But users click on webpages all the time! If we can intercept and redirect these clicks to where they are needed, multi-click attacks suddenly become much more realistic.
With advanced Clickjacking techniques such as automatically tracking the mouse cursor and directing the click exactly where it’s needed, it is possible to exploit multi-click Clickjacking vulnerabilities in the wild. The user simply has to click somewhere - anywhere - a couple of times.