Keep your Mac safe from Clickjacking

Clickjacking is the latest internet security exploit. It takes control of your iSight and internal microphone through a flaw in Adobe’s Flash Player. Unfortunately, Clickjacking affects both Macs and PCs. With the built-in iSight, Macs are especially at risk. While a patch to fix this is in the works, in the meantime I will show you how to keep your Mac safe.

How does someone get Clickjacked?

Clickjacking occurs when a compromised website overlays an invisible box over a link. When you think you are clicking on a link (or form submit) you really are clicking on the invisible box. This in turn will either take you to a malicious phishing website or use the flaw in Flash Player to give someone access to your iSight and microphone.

What makes Clickjacking so evil is how difficult it is to know whether you have been Clickjacked or not. All you will see is a proper link on a page that looks fine.

What can I do to prevent Clickjacking?

Aside from avoiding the obviously creepy websites on the internet, to prevent Clickjacking you’re going to want to be using Mozilla Firefox to browse.

Note: Alternatively, you can set Safari to turn off Javascript but trust me, after one minute you will want to turn it back on.

So load up Firefox and install the NoScript extension.

– Click on Tools in the Firefox menu bar and choose “Add-ons”.

– Click on “Get Add-ons” at the top.

– Search from NoScript and install by clicking “Add to Firefox”.

How do I use the NoScript extension?

NoScript is extremely useful and highly recommended. It will protect you from much more than Clickjacking. However, like Little Snitch, the OS X Firewall and if you’ve ever used ZoneAlarm on the PC, it takes some getting used to.

What NoScript does is simply block JavaScript from all websites except those you specify. You may either allow JavaScript permanently (in the case of a banking website) or temporarily.

Note: Until you recognize how NoScript works and set the permanent exceptions, websites will not look or behave properly. You are about to see that JavaScript is as prominent as HTML and CSS on the internet.

Out of the box, NoScript is set to protect you so let’s explore how to set exceptions for sites:

Setting a NoScript exception:

– First, go to the website you’d like to visit.

– Notice on the lower right hand side, there is a red symbol with an S inside.

Using NoScript

– This symbol means that there is Javascript being blocked on this site.

– Click on the symbol and a popup will appear.

Using NoScript

– Choose “Allow” for permanent JavaScript and “Temporarily allow” for temporary JavaScript.

Note: In other websites, you will see many different sites to allow/deny JavaScript from. This is normal as portions of sites often come from different places. If you are unsure of what to add, add them temporarily one by one until the site begins to look normal again.

How can I stop Flash Player from accessing my iSight?

Disabling JavaScript on unknown sites is the first line of defense against Clickjacking. What happens if a known and trusted website is compromised?

To stop Clickjackers permanently from accessing your iSight/Microphone, we’ll have to adjust Flash Player’s preferences.

– Start by going to the Adobe Flash Settings Manager.

– Enable both adobe.com and macromedia.com in NoScript.

– Under “Global Privacy Settings”, choose the “Always Deny” setting.

Note: If you think you will need Flash Player’s use of the iSight (in cases of in browser video chat for example) choose “Always Ask”.

Now you are protected against Clickjacking until Adobe fixes the flaw in Flash Player. I’d definitely recommend continual use of NoScript. Not only does it secure your browser, it can eliminate all sorts of web annoyances.

Comments are closed.