Flash bug allows spying of website visitors through webcam
Posted on 20 October 2011.
A slight variation of a previously designed clickjacking attack that used a Adobe Flash vulnerability has once again made it possible for website administrators to surreptitiously spy on their visitors by turning on the user's computer webcam and microphone.

The original attack involved putting the Adobe Flash Settings Manager page into an iFrame and masking it with a game, so that when the user clicked on the buttons he would actually change the settings and turn on the webcam.

Once it was made public, Adobe fixed the issue by adding framebusting code to the Settings Manager page. But now, Stanford University computer science student Feross Aboukhadijeh managed to bypass the framebusting JavaScript code by simply putting the settings SWF file into the iFrame, and made the clickjacking attack possible again.

"It works in all versions of Adobe Flash that I tested. Iíve confirmed that it works in the Firefox and Safari for Mac browsers," says Aboukhadijeh on his blog, where he made public the PoC attack code after having received no answer from Adobe after notifying them of the flaw.

According to him, a CSS bug doesn't allow the attack to work on Chrome for Mac and most browser on Windows and Linux.

"Although every browser and OS is theoretically susceptible to this attack, the process to activate the webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off. Iím not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we donít have to find out," he says.

A day after his blog post was published, Adobe piped up to say that they are working on a fix for the bug and that, if everything goes well, it should be up and running by the end of the week.

"Note that this issue does not involve/require a product update and/or customer action. (In other words, there will not be a security bulletin.) It's a fix we are making on our end online, and it is going to be pushed live as soon as QA has completed their testing," commented an Adobe spokeswoman for CNet, adding that Aboukhadijeh didn't receive a response sooner because he hadn't emailed the Adobe Product Security Incident Response Team directly, but sent the message to an employee who was on a sabbatical.

UPDATE: Adobe has fixed the flaw on Thursday afternoon US Pacific time. No product update or customer interaction is required.






Spotlight

Windows 0-day exploited in ongoing attacks, temporary workarounds offered

Posted on 22 October 2014.  |  A new Windows zero-day vulnerability is being actively exploited in the wild and is primarily a risk to users on servers and workstations that open documents with embedded OLE objects.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //