In those old, old, old humorous TV shows or movies there would sometimes be a car chase, or car rally, or similar. One of the lead cars in the race would stop at a road sign, the driver would jump out, swivel the sign to point in the wrong direction, and then drive off in the right direction laughing heartily. All the following cars, of course, went off in the wrong direction.
That’s what clickjacking is about, except the rally course is web pages, and the road signs are links. Here’s how this latest sneaky exploit is described by SearchSecurity.com:
The basic idea behind clickjacking is that it allows attackers to force Web users to click on a malicious link when they think they’re clicking on something completely benign. For example, in one of the scenarios that Hansen and Grossman described, an attacker could construct a malicious Web page designed to install a rootkit or other malware on a user’s PC and then overlay that entire page with a harmless-looking page, say one that has a Flash-based game on it. As the user clicks on the various links and buttons on the page, he is in fact clicking on hidden links controlled by the attacker.
[Mentioned on the Wise Women mailing list.]