Performing Clickjacking Attacks in the Wild: 99% are Still Vulnerable!

Abstract

Clickjacking is an attack that tricks victims into clicking on invisible elements of a web page to perform unin- tended actions that might be advantageous for the attacker. To defend against clickjacking, many techniques have been proposed, but it is still questionable whether they are effectively deployed in practice. We investigated how vulnerable Korean websites are to clickjacking attacks by performing real attacks on the top 500 most popular Korean websites as well as all of the financial websites. Our results are quite significant: almost all Korean websites (99.6%) that we looked at were vulnerable to clickjacking attacks. Extending our observation to top 500 global websites, we found that 390 of them (78%) were also vulnerable to clickjacking attacks and identified which type of website is particularly insecure against clickjacking.