This was an interesting realization. I was talking with Jeremiah Grossman the other day and it occurred to me, timing-wise we lucked out with clickjacking. Let me explain.
In 2008 not a lot of companies were protecting themselves using nonces (one time tokens) from things like CSRF. Nonces are the preferred method of protecting websites from CSRF. Of course, if the companies don’t use them then they’re vulnerable, so there’s no point in worrying about other exploits until companies start to use nonces. Clickjacking wasn’t a big deal at that time because so few of the big websites had started protecting themselves from CSRF at that point. It was only once banks and social networks integrated CSRF nonces into their applications that clickjacking become a practical attack to circumvent CSRF protection. That’s one of the reasons Jeremiah and I felt that it was good timing to release the vulnerability – as more companies switched to anti-CSRF nonces, clickjacking was bound to become a more practical exploit in the coming years – and since then a number of clickjacking worms have been created as a result.
At the time, Internet Explorer introduced something called X-Frame-Options, which prevents attackers from framing your website. It took a while but now it is supported in all major browsers. X-Frame-Options may not be the best security mechanism in the world because there are lots of places it can’t be used without breaking functionality, but in many ways it stopped the attack cold. However, this month an attack called Pixel Perfect Timing was released.