My understanding of clickjacking attacks is that an attacker could embed my site
ID: 655905 • Letter: M
Question
My understanding of clickjacking attacks is that an attacker could embed my site in his. The attacker then uses clever styling to trick the user into performing actions on my site, that they did not intend to perform.
Suppose my site does not have the concept of a user account where someone could perform more actions, than one could without being logged in.
Then is a clickjacking attack still applicable to my site?
More specifically, if I allow users to purchase things on my site but require them to enter their personal and CC info each time because they don't have an "account" with the site can I allow my site to be embedded in iFrames of other sites?
Explanation / Answer
Yes, your site can be clickjacked, whether you have user accounts or not.
If users have accounts on your site, then the clickjacking attack can be made against the account. But one could also perform a clickjacking attack against some other aspect of the target.
Wikipedia has a a few examples: tricking a user into enabling their webcam, into following someone on Twitter, or make them "like" something on Facebook.
The fact that our users don't have an account does not protect them from a clickjacking attack. If the clickjacker is after the credit card number, the requirement for the user to type all their information makes it easier for the clickjacker to get that personal data as well.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.