What is Clickjacking?

Clickjacking is a trick where a website hides a button or link behind something that looks harmless, so when you think you’re clicking a normal element you’re actually activating the hidden one. It tricks you into doing actions you didn’t intend, like liking a page, changing settings, or making a purchase.

Let's break it down

  • Clickjacking: “click” (pressing a mouse button) + “hijacking” (taking control of something).
  • Trick: a deceptive method to fool someone.
  • Hidden button or link: an interactive element that is invisible or covered by another element.
  • Harmless looking: something that appears safe, like a video play button or a news article.
  • Unintended action: a result you didn’t plan, such as sharing data or confirming a transaction.

Why does it matter?

Because it can make you unknowingly give away personal data, spend money, or change security settings, putting your privacy and finances at risk. Even if you’re careful, a cleverly designed page can still pull the rug out from under you.

Where is it used?

  • Fake “Like” buttons on social-media sites that cause you to follow or endorse pages you never meant to.
  • Hidden “Buy” or “Subscribe” buttons in online ads that charge you with a single click.
  • Malicious overlays on banking portals that trigger money transfers or change account details.
  • Phishing emails that embed a disguised button, leading you to a malicious site that steals credentials.

Good things about it (from a technical perspective)

  • Simple to implement: just a layer of HTML/CSS, no complex code required.
  • Works across most browsers without needing special plugins.
  • Can bypass many traditional security filters because the underlying site is legitimate.
  • Requires no user download or installation, making it easy to spread.
  • Can be combined with other attacks (e.g., phishing) for greater impact.

Not-so-good things

  • Modern browsers now include built-in defenses (X-Frame-Options, Content-Security-Policy) that block many clickjacking attempts.
  • Security tools and extensions can detect and warn users about suspicious overlays.
  • Users becoming more aware reduces the success rate of the trick.
  • Legal consequences for attackers are severe if caught, discouraging widespread use.