Clickjacking is the latest internet security exploit. It takes control of your iSight and internal microphone through a flaw in Adobe’s Flash Player. Unfortunately, Clickjacking affects both Macs and PCs. With the built-in iSight, Macs are especially at risk. While a patch to fix this is in the works, in the meantime I will show you how to keep your Mac safe.
How does someone get Clickjacked?
Clickjacking occurs when a compromised website overlays an invisible box over a link. When you think you are clicking on a link (or form submit) you really are clicking on the invisible box. This in turn will either take you to a malicious phishing website or use the flaw in Flash Player to give someone access to your iSight and microphone.
What makes Clickjacking so evil is how difficult it is to know whether you have been Clickjacked or not. All you will see is a proper link on a page that looks fine.
What can I do to prevent Clickjacking?
Aside from avoiding the obviously creepy websites on the internet, to prevent Clickjacking you’re going to want to be using Mozilla Firefox to browse.
So load up Firefox and install the NoScript extension.
– Click on Tools in the Firefox menu bar and choose “Add-ons”.
– Click on “Get Add-ons” at the top.
– Search from NoScript and install by clicking “Add to Firefox”.
How do I use the NoScript extension?
NoScript is extremely useful and highly recommended. It will protect you from much more than Clickjacking. However, like Little Snitch, the OS X Firewall and if you’ve ever used ZoneAlarm on the PC, it takes some getting used to.
Out of the box, NoScript is set to protect you so let’s explore how to set exceptions for sites:
Setting a NoScript exception:
– First, go to the website you’d like to visit.
– Notice on the lower right hand side, there is a red symbol with an S inside.
– Click on the symbol and a popup will appear.
How can I stop Flash Player from accessing my iSight?
To stop Clickjackers permanently from accessing your iSight/Microphone, we’ll have to adjust Flash Player’s preferences.
– Start by going to the Adobe Flash Settings Manager.
– Enable both adobe.com and macromedia.com in NoScript.
– Under “Global Privacy Settings”, choose the “Always Deny” setting.
Note: If you think you will need Flash Player’s use of the iSight (in cases of in browser video chat for example) choose “Always Ask”.
Now you are protected against Clickjacking until Adobe fixes the flaw in Flash Player. I’d definitely recommend continual use of NoScript. Not only does it secure your browser, it can eliminate all sorts of web annoyances.