Here’s Why You Might Be Sharing Your Camera With a Cyberattacker

You open a site to watch a video. Innocent enough, right? But by simply clicking on a button, a cyberattacker might have gained access to your camera and microphone. They could be watching you without you even knowing about it. This is a form of attack called clickjacking.

So what does that actually mean? How does clickjacking work? And how can you protect yourself?

What Is Clickjacking?

Clickjacking is a type of social engineering attack that cybercriminals can use to gain access to users’ information.

The main purpose of clickjacking is to trick the user to get them to click on something specific the cyberattacker wants them to. Through this, they can seize your device, especially when using the camera and microphone. In most browsers, you just have to click a single button to grant microphone and camera permissions; users, then, may unknowingly share their cameras with a cyberattacker, which can have serious consequences, especially for privacy.

How Clickjacking Works With Transparent Sites

Attackers create fake environments to trick users. Fake websites can reach a large number of people, and so increases the probability of the attack’s success. Scammers design a site that looks innocent, but has the real purpose of accessing your camera and microphone or getting you to download malware.

For instance, consider a simple clicker game that operates entirely within your browser. Its main aim is to assess your capacity for coordinating your hand and eye movements. To accomplish this, the game presents you with colored buttons that appear in different parts of the screen and prompts you to click on them. The faster you can execute this activity, the greater your level of achievement will be.

Although it seems harmless, the coordinates of the buttons that will appear on the screen are predetermined by the attacker. You think you click on a button and win the game, but you actually click on a completely different button in the background.

Accessing Your Camera With Clickjacking

Diagram of how clickjacking happens

The same goes for accessing your microphone and camera permissions. Sometimes sites need your camera and microphone. For example, an app like Zoom requires these permissions for you to be able to speak and for your image to appear in video conferencing. To grant permissions, you will see an “allow” button somewhere on your browser interface. Of course, not all platforms are as secure as Zoom.

So, when you click on an innocent-looking play button to watch a TV show or movie, it may be a back-end allow button created by the hacker to open your camera.

How Do You Protect Against Clickjacking Attacks?

A malicious attacker uses various codes and scripts to get you to click exactly where they want and manipulate your screen. Many developers with even little experience with HTML and CSS can easily do this: they just have to play with the opacity values of the two pages they designed on top of each other and not show the back page to the end user.

To avoid falling prey to a seemingly simple script-based trick, one of the most effective approaches is to disable JavaScript. Most web browsers provide a security feature that enables you to turn off the JavaScript code that runs in the background of websites. For instance, in Chrome, you can access the page by typing “chrome://settings/content/javascript” in the address bar. Upon reaching this page, you will come across the Don’t allow sites to use Javascript option.

However, you need to exercise caution when selecting this option since it will block all existing codes on every website. Activate it only when logging into sites that you do not trust and consider unsafe. You can always reverse this setting later.

Screenshot of javascript blocking settings page for Chrome

Alternatively, you can use open source-free and reliable plugins to enable and disable JavaScript more easily. NoScript Security Suite is a good solution for this and offers support for many different browsers. It aims to prevent not only clickjacking attacks, but also malicious software that exists on any site you enter.

Malicious attackers don’t always code their sites to perform a clickjacking attack using transparent sites. They can also take advantage of online vulnerabilities they find while browsing the internet. For example, they can inject code by exploiting a vulnerability in the comment section of a blog. In such cases, you need to pay attention to what you actually click on, even if doing so sounds a bit paranoid.

How Do You Know if a Site Is Trustworthy?

How can you tell if you can trust a site? Attackers often don’t put too much time into designing and developing a site; it’s unnecessary time and money wasted. You can tell this from a site’s security certificates and design. For example, a large and trusted organizational site will most likely have an SSL certificate. To check this, look at the URL. If the address begins “https://”, it means that the site has an SSL certificate. That extra “S” after “HTTP” means “Secure”. Don’t solely rely on this, though.

You should also take a look at the design and content of the site. The information on the contact page, the privacy policies, and even GDPR warning can indicate if a site is trustworthy. Research the site too. What do other users on platforms like Twitter, Facebook, and Trustpilot say about it?

If you have any knowledge about coding, you can examine the source codes of the site. That way, you’ll see some of the background work and what other sites it links to.

Should You Worry About Clickjacking?

Clickjacking is a scary thing, especially as cybercriminals could gain access to your webcam and actively spy on your activities. That’s a major invasion of privacy and security.

So yes, it might seem a little OTT to be careful where you’re actually clicking on a website. Most of us do this without a second’s thought. But it’s also important you stay vigilant so you don’t fall prey to a hacker.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button