Clickjacking.

Clickjacking embeds a sensitive page (for example, account settings, OAuth consent, payment confirmation) inside an iframe on a malicious site and visually disguises it — often through transparency, careful CSS overlays, or strategic positioning under decoy buttons. The user thinks they are interacting with the visible page, while their clicks, taps, or drags are actually delivered to the hidden frame, performing actions in their authenticated session.

The term was coined in 2008 by Jeremiah Grossman and Robert Hansen, who demonstrated framing Adobe Flash's settings manager to silently enable a victim's webcam and microphone. The defence that emerged, the X-Frame-Options header, was standardised as RFC 7034 (2013) and has since been superseded by the Content-Security-Policy frame-ancestors directive, which is more granular and supports multiple allowed origins. Variants keep evolving: cursorjacking, drag-and-drop data theft, and likejacking. In late 2024 researcher Paulos Yibelo published "DoubleClickjacking," which exploits the gap between the two events of a double-click to swap the underlying page after the first click, bypassing X-Frame-Options, frame-ancestors, and SameSite cookies because no cross-site frame is actually present at click time.

Defences combine framing controls (frame-ancestors 'self' or an explicit allowlist), explicit user-gesture and confirmation requirements for sensitive actions, disabling buttons until a brief delay after focus, and SameSite cookies to limit cross-context state.

flowchart TD
  A[Victim visits<br/>attacker page] --> B[Decoy UI:<br/>'Click to win']
  B --> C[Invisible iframe loads<br/>real target site]
  C --> D[Victim is logged in<br/>to target]
  B --> E[Transparent overlay<br/>aligns hidden button]
  E --> F[Victim clicks decoy]
  F --> G[Click lands on hidden<br/>'Approve' button]
  G --> H[Action runs in<br/>victim's session]