Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page
Examples
A user might receive an email with a link to a video about a news item, but another valid page, say a product page on Amazon.com, can be "hidden" on top or underneath the "PLAY" button of the news video. The user tries to "play" the video but actually "buys" the product from Amazon.
Other known exploits include:
Tricking users into enabling their webcam and microphone through Flash.
Tricking users into making their social networking profile information public.
Making users follow someone on Twitter.
Sharing links on Facebook.
Likejacking
Likejacking is a malicious technique of tricking users of a website into posting a Facebook status update for a site they did not intentionally mean to "like".
Cursorjacking
Cursorjacking is a UI redressing technique to change the cursor from the location the user perceives.
The overall idea is simple.
A visitor is lured to evil page. No matter how. “Click to get 1000000$” or whatever.
The evil page puts a “get rich now” link with z-index=-1.
The evil page includes a transparent iframe from the victim domain, say facebook.com and positions it so that “I like it” button is right over the link.
Here’s how it looks (half-transparent iframe for demo purposes):
A click on the link actually happens on the iframe. Bingo! If the visitor is logged into facebook (and most of time he is), then facebook.com receives the click on behalf of the visitor.
On Twitter, it was the “Follow” button.
On Twitter, it was the “Follow” button.
