What is clickjacking ?

1. Foundations of Cybersecurity: The CIA Triad (basic)

Welcome to your first step in mastering cybersecurity! To understand how systems are attacked, we must first understand what we are trying to protect. In the world of information security, the CIA Triad serves as the foundational model. It consists of three pillars: Confidentiality, Integrity, and Availability. Think of these as the three guards protecting a treasure chest; if any one of them falls asleep, the treasure is at risk. First, Confidentiality is about ensuring that sensitive information is only accessible to those authorized to see it. Throughout history, keeping secrets has been a matter of national survival. For instance, during the Cold War, agencies like the American CIA and the Soviet KGB were dedicated to espionage—either protecting their own government records or trying to steal the secrets of others History, Class XII (Tamilnadu State Board 2024 ed.), The World after World War II, p.249. In a modern context, this relates to how we protect Aadhaar metadata or private contracts from being shared with unauthorized private corporations Indian Polity, M. Laxmikanth (7th ed.), World Constitutions, p.757. Second, Integrity ensures that information remains accurate and has not been tampered with by unauthorized parties. As the internet is increasingly used for e-commerce and money transactions INDIA PEOPLE AND ECONOMY, TEXTBOOK IN GEOGRAPHY FOR CLASS XII (NCERT 2025 ed.), Transport and Communication, p.83, it is vital that the data stays consistent. If you send ₹100 to a friend, but a hacker changes the value to ₹10,000 in transit, the integrity of that transaction has been compromised. Finally, Availability means that the information and systems are ready for use when needed. Since the internet acts as a "huge central warehouse of data" INDIA PEOPLE AND ECONOMY, TEXTBOOK IN GEOGRAPHY FOR CLASS XII (NCERT 2025 ed.), Transport and Communication, p.83, a system is useless if a user cannot access it when they need to make a call or obtain information.

Pillar	Core Objective	Example Failure
Confidentiality	Keep data secret.	A stranger reads your private emails.
Integrity	Keep data accurate.	A hacker changes your exam grades.
Availability	Keep data accessible.	A bank's website crashes during business hours.

Sources: History, Class XII (Tamilnadu State Board 2024 ed.), The World after World War II, p.249; Indian Polity, M. Laxmikanth (7th ed.), World Constitutions, p.757; INDIA PEOPLE AND ECONOMY, TEXTBOOK IN GEOGRAPHY FOR CLASS XII (NCERT 2025 ed.), Transport and Communication, p.83

2. Social Engineering: The Human Element in Cyber Attacks (intermediate)

In the realm of cybersecurity, while we often focus on firewalls and encryption, the most vulnerable component is often the person sitting in front of the screen. Social Engineering is a deceptive technique that manipulates human psychology rather than exploiting software bugs. It is the "art" of tricking individuals into divulging confidential information or performing actions that compromise security. One of the most sophisticated forms of this is the Clickjacking attack, also known as UI Redressing.

Imagine a physical scenario where someone places a transparent sheet over a contract. You think you are signing a guestbook, but your signature is actually being captured on a hidden legal document underneath. In the digital world, Clickjacking works similarly: an attacker overlays a hidden or transparent interface (often using iframes) over a legitimate-looking webpage. When you click what you perceive to be a harmless "Play" button or a "Like" icon, you are actually interacting with a hidden layer. This can lead to disastrous outcomes, such as making unauthorized financial transfers, downloading malware, or compromising sensitive banking credentials like your IFSC (Indian Financial System Code), which is essential for identifying bank branches in systems like NEFT or RTGS Indian Economy, Nitin Singhania (ed 2nd 2021-22), Money and Banking, p.196.

To combat these evolving high-technology crimes, specialized agencies like the Central Bureau of Investigation (CBI) focus on creating a work environment that encourages teamwork and communication to better investigate complex digital frauds Indian Polity, M. Laxmikanth (7th ed.), Central Bureau of Investigation, p.504. Furthermore, the Indian government has recognized the urgent need for digital literacy. Through the Future Skills PRIME initiative, the Ministry of Electronics and Information Technology (MeitY) and NASSCOM are upskilling professionals in Cybersecurity and AI to bridge the demand-supply gap in the skilled workforce Indian Economy, Vivek Singh (7th ed. 2023-24), Indian Economy after 2014, p.241. Understanding these human-centric threats is the first step toward building a robust digital defense.

Sources: Indian Economy, Nitin Singhania (ed 2nd 2021-22), Money and Banking, p.196; Indian Polity, M. Laxmikanth (7th ed.), Central Bureau of Investigation, p.504; Indian Economy, Vivek Singh (7th ed. 2023-24), Indian Economy after 2014, p.241

3. Web Vulnerabilities: Spoofing and Redirection (intermediate)

In the digital landscape, Spoofing and Redirection are deceptive tactics used to mislead users and systems. A particularly clever and dangerous form of this is Clickjacking, also known as a UI (User Interface) Redress Attack. At its core, Clickjacking exploits the fundamental trust we place in what we see on our screens. While modern educational resources often encourage us to use interactive tools, such as scanning a QR code or typing a URL to explore historical maps and quizzes History Class XI (Tamilnadu State Board), Polity and Society in Post-Mauryan Period, p.88, these very gateways can be manipulated if the destination site lacks proper security protocols.

The mechanism of Clickjacking is like a "digital transparency." An attacker places a hidden or transparent layer (typically using an HTML iframe) over a legitimate-looking webpage. When you think you are clicking a harmless button—perhaps to load a Flash Player or interact with a JavaScript element as seen in academic portals History Class XII (Tamilnadu State Board), Rise of Extremism and Swadeshi Movement, p.30—you are actually clicking a hidden button on a completely different site. For example, a "Play Video" button might be overlaying an invisible "Delete All Contacts" or "Confirm Purchase" button. You perceive one action, but your browser executes another.

Feature	Spoofing	Clickjacking (UI Redress)
Primary Method	Faking a digital identity (IP, Email, DNS).	Layering an invisible malicious interface over a real one.
User Awareness	User thinks they are on a different site.	User thinks they are performing a different action on the same site.

The consequences of these vulnerabilities can range from minor annoyances to severe security breaches, such as the unauthorized transfer of funds or the unintentional downloading of malware. In the broader context of national security, we see how physical attacks on institutions like the Parliament House or military convoys lead to stringent laws like POTA Spectrum, After Nehru..., p.758, 791. Similarly, in the cyber domain, vulnerabilities like Clickjacking require robust defense mechanisms—such as Content Security Policies (CSP) and X-Frame-Options—to ensure that the digital infrastructure remains as secure as the physical one.

Sources: History, Class XI (Tamilnadu State Board 2024 ed.), Polity and Society in Post-Mauryan Period, p.88; History, Class XII (Tamilnadu State Board 2024 ed.), Rise of Extremism and Swadeshi Movement, p.30; A Brief History of Modern India (2019 ed.). SPECTRUM., After Nehru..., p.758, 791

4. India's Cybersecurity Framework and Institutions (exam-level)

To understand India's defense against digital threats, we must look at the National Cybersecurity Framework as a multi-layered shield composed of legislation, policy, and specialized institutions. At the foundation lies the Information Technology (IT) Act, 2000 (amended in 2008), which provides the legal sanctity for electronic governance and defines cybercrimes. Since matters of communication and technology fall under the Union List, the Parliament exercises its legislative power to frame these laws Indian Polity, M. Laxmikanth(7th ed.), Parliament, p.256. This legislative backing allows the executive branch to create dedicated agencies that monitor, prevent, and respond to various cyber-attacks like phishing, malware, and sophisticated UI-redress attacks (such as clickjacking).

The institutional architecture is led by the National Cyber Security Coordinator (NCSC), who functions within the National Security Council Secretariat (NSCS) to coordinate between different central agencies. However, the 'boots on the ground' are two primary organizations with distinct mandates:

• CERT-In (Indian Computer Emergency Response Team): Housed under the Ministry of Electronics and Information Technology (MeitY), it is the national nodal agency for responding to computer security incidents. It issues alerts on vulnerabilities and coordinates emergency measures during a cyber-attack.
• NCIIPC (National Critical Information Infrastructure Protection Centre): Established under Section 70A of the IT Act, this body focuses exclusively on protecting Critical Information Infrastructure (CII)—sectors like Power, Banking, Telecom, and Transport, whose destruction would have a debilitating impact on national security.

To streamline the fight against cybercrime at the grassroots level, the Ministry of Home Affairs (MHA) established the Indian Cyber Crime Coordination Centre (I4C). While CERT-In deals with technical security breaches, I4C acts as a bridge between law enforcement agencies across different states to tackle crimes like financial fraud and online harassment. This is vital because, as noted in the administrative structure of the country, the Union often assists states in specialized functions through centralized schemes Laxmikanth, M. Indian Polity. 7th ed., Union Public Service Commission, p.424.

Agency	Primary Role	Parent Ministry
CERT-In	Emergency response & vulnerability advisories for the general web.	MeitY
NCIIPC	Protection of Critical Infrastructure (e.g., Nuclear, Power grids).	PMO (via NTRO)
I4C	Coordination of cybercrime investigation and law enforcement.	Home Affairs

Sources: Indian Polity, M. Laxmikanth(7th ed.), Parliament, p.256; Laxmikanth, M. Indian Polity. 7th ed., McGraw Hill, Union Public Service Commission, p.424

5. UI Redress Attacks: The Mechanics of iframes (intermediate)

At its core, a UI Redress Attack, commonly known as Clickjacking, is a deceptive technique that manipulates a user's visual perception to trick them into performing unintended actions. Imagine looking at a wall with a button that says "Get Free Gift." However, unbeknownst to you, there is a sheet of perfectly clear glass in front of the wall, and on that glass is a completely different button—perhaps one that says "Delete My Account"—aligned perfectly with the one you see. When you reach out to click the gift button, you are actually pressing the button on the glass. This is exactly how clickjacking works in a web browser.

The primary mechanism behind this attack is the iframe (inline frame). An iframe is an HTML element that allows a website to embed another website inside it. In a UI redress attack, the attacker creates a malicious webpage and loads a legitimate site (like a social media settings page or a banking portal) inside an iframe. Using CSS (Cascading Style Sheets), the attacker set the opacity of that iframe to zero, making it completely transparent. Even though you cannot see it, the invisible site is still "there" and active. As noted in technical instructions for loading web pages, such as those reminding users to allow certain scripts for pages to load correctly in History, class XII (Tamilnadu state board 2024 ed.), Rise of Extremism and Swadeshi Movement, p.30, the browser's ability to render and interact with these embedded layers is a standard feature that attackers exploit.

This attack is particularly dangerous because it bypasses traditional security logic by hijacking the user's intent. The user believes they are interacting with the visible, harmless layer (the "redressed" UI), but the browser registers the click on the hidden, sensitive layer. This can lead to unauthorized data disclosure, such as revealing credit card details or downloading malware. Just as international protocols like the Kyoto Protocol create binding commitments for environmental protection Environment, Shankar IAS Academy (ed 10th), Climate Change Organizations, p.329, web developers must use specific security headers (like X-Frame-Options) to "bind" their sites against being embedded in unauthorized iframes, protecting users from these invisible traps.

Sources: History, class XII (Tamilnadu state board 2024 ed.), Rise of Extremism and Swadeshi Movement, p.30; Environment, Shankar IAS Academy (ed 10th), Climate Change Organizations, p.329

6. Clickjacking: Definition and Prevention (exam-level)

Clickjacking, technically known as a UI Redress Attack, is a deceptive technique where an attacker tricks a user into clicking on something different from what the user perceives they are clicking on. Think of it as a digital version of "bait and switch." The attacker overlays an invisible or transparent layer (typically an iframe) over a legitimate-looking webpage. While you think you are clicking a harmless "Play Video" or "Like" button, your click is actually being hijacked by the hidden layer to perform an unintended action, such as transferring funds, changing account settings, or downloading malware.

To execute this, attackers rely on precise positioning. Just as coordinates are used to identify a specific point on the Earth’s surface to ensure accuracy Physical Geography by PMF IAS, Latitudes and Longitudes, p.250, hackers use CSS and HTML coordinates to align their malicious, invisible buttons exactly on top of the visible, trusted ones. This exploit often takes advantage of how browsers load active content like JavaScript or legacy plugins History, class XII (Tamilnadu state board 2024 ed.), Reconstruction of Post-colonial India, p.114. When a user interacts with the UI, they are essentially interacting with a "ghost" layer that the browser processes as a valid command from the user.

Preventing Clickjacking requires robust server-side instructions to the browser. The most common defenses include:

• X-Frame-Options: A HTTP header that tells the browser whether it is permitted to render a page in a <frame> or <iframe>. Setting this to DENY or SAMEORIGIN prevents external sites from embedding your content.
• Content Security Policy (CSP): A modern security layer where the frame-ancestors directive defines which parent pages are allowed to embed the site.
• Frame-busting scripts: Older JavaScript snippets that try to force the page to be the top-level window, though these are less reliable than header-based defenses.

Just as legal frameworks like the Defence of India Act were historically framed to "prevent" prejudicial acts before they could cause harm Introduction to the Constitution of India, D. D. Basu, FUNDAMENTAL RIGHTS AND FUNDAMENTAL DUTIES, p.135, these technical headers act as a preventive detention for malicious frames, stopping the attack before the user even moves their mouse.

Sources: Physical Geography by PMF IAS, Latitudes and Longitudes, p.250; History, class XII (Tamilnadu state board 2024 ed.), Reconstruction of Post-colonial India, p.114; Introduction to the Constitution of India, D. D. Basu, FUNDAMENTAL RIGHTS AND FUNDAMENTAL DUTIES, p.135

7. Solving the Original PYQ (exam-level)

Now that you have mastered the fundamentals of cybersecurity threats and web vulnerabilities, this question serves as a perfect application of the UI Redress Attack concept. As you recall from our study of iframes and transparent overlays, clickjacking isn't about the hardware or the speed of data; it is about the manipulation of the user interface. By layering an invisible, malicious element over a legitimate button, an attacker effectively "hijacks" your intended action, turning a routine click into a security breach.

To arrive at the correct answer, (C) A malicious technique of tricking Web users into revealing confidential information, you must focus on the etymology of the word: "Click" + "Hijacking". Think like an examiner—if a term sounds like a hybrid of a common action and a criminal activity, it likely refers to a deceptive practice. The core mechanism involves trickery where the user perceives one action (like closing a pop-up) but performs another (like authorizing a bank transfer or sharing login credentials).

UPSC often includes distractors to test your technical precision. Option (A) uses pseudo-technical jargon ("bit second") to sound impressive, while Option (B) provides a literalist trap by suggesting it is a simple counting device. Option (D) is a generic distractor that describes a standard digital process unrelated to security. By identifying that clickjacking is fundamentally about deception and confidentiality loss, you can easily bypass these traps and secure the mark.