Tamper-Resistant LikeJacking Protection

The ClickJacking variant LikeJacking specifically targets Web widgets that offer seamless integration of third party services, such as social sharing facilities. The standard defense against ClickJacking is preventing framing completely or allowing framing only in trusted contexts. These measures cannot be taken in the case of LikeJacking, due to the widgets' inherent requirement to be available to arbitrary Web applications. In this paper, we report on advances in implementing LikeJacking protection that takes the specific needs of such widgets into account and is compatible with current browsers. Our technique is based on three pillars: A JavaScript-driven visibility check, a secure in-browser communication protocol, and a reliable method to validate the integrity of essential DOM properties and APIs. To study our protection mechanism's performance characteristics and interoperability with productive Web code, we applied it to 635 real-world Web pages. The evaluation's results show that our method performs well even for large, non-trivial DOM structures and is applicable without requiring changes for the majority of the social sharing widgets used by the tested Web applications.