Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. Among the more alarming ways it can be used: covertly watching and listening to people who have microphones and Webcams attached to their computers.

Flash developer Guy Aharonovsky showed how clickjacking can be used and written a quick and dirty Javascript game to demonstrate how an attacker can get a hold of the user's camera and microphone.

The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.

Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a Web page, they may actually be clicking on content from another page.

Clickjacking can be understood as an instance of the Confused deputy problem. This also suggests a potential solution using Capability-based security: if the page containing a authority-bearing button or information is accessible only at a URL that acts as a capability, then an attacking site will not know this URL unless it has been explicitly authorized to access the page.

There are multiple variants of clickjacking, some of which require cross-domain access, some of which use iframes, some of which require JavaScript, and some of which involve page overlays.

In order to be protected against clickjacking, it is advised you to put tape over your camera, disable your microphone, install NoScript, and/or disable your plug-ins. NoScript is a Firefox plugin that stops Flash, Java, JavaScript and other plugins from running in your browser. It includes a new anti-clickjacking feature called ClearClick. It reveals transparent or concealed windows so the user can see attempts to co-opt clicks for malicious purposes. NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities with no loss of functionality.