A new demo exploit proves that browser vendors still haven’t found an effective way of protecting users against clickjacking attacks. Clickjacking involves trying to position items such as a transparent iFrame underneath a visitor’s mouse pointer on a specially crafted web page. This fools users into performing an undesired action when clicking on an apparently innocuous item.

The demo exploit now published by Israeli programmer Narkolayev Shlomi impressively demonstrates the problem in Facebook. By making users believe they are clicking on a harmless web page link, instead the clicked exploit adds an app to the user’s Facebook account. Victims must be logged into Facebook for the attack to be successful, but this is quite a common scenario.

Similar attacks were launched on services such as Twitter last year. The effect of clickjacking attacks is similar to that of cross-site request forgery attacks (XSRF). However, the two methods are fundamentally different. Clickjacking isn’t easily prevented. With XSRF, instructing the server to embed an unguessable, user-related token into the URL is enough to render most attacks ineffective. With clickjacking attacks, on the other hand, protection cannot be achieved via server settings.

Read more here.