Flash bug allows spying of website visitors through webcam
Posted on 20 October 2011.
A slight variation of a previously designed clickjacking attack that used a Adobe Flash vulnerability has once again made it possible for website administrators to surreptitiously spy on their visitors by turning on the user's computer webcam and microphone.

The original attack involved putting the Adobe Flash Settings Manager page into an iFrame and masking it with a game, so that when the user clicked on the buttons he would actually change the settings and turn on the webcam.

Once it was made public, Adobe fixed the issue by adding framebusting code to the Settings Manager page. But now, Stanford University computer science student Feross Aboukhadijeh managed to bypass the framebusting JavaScript code by simply putting the settings SWF file into the iFrame, and made the clickjacking attack possible again.

"It works in all versions of Adobe Flash that I tested. Iíve confirmed that it works in the Firefox and Safari for Mac browsers," says Aboukhadijeh on his blog, where he made public the PoC attack code after having received no answer from Adobe after notifying them of the flaw.

According to him, a CSS bug doesn't allow the attack to work on Chrome for Mac and most browser on Windows and Linux.

"Although every browser and OS is theoretically susceptible to this attack, the process to activate the webcam requires multiple highly targeted clicks, which is difficult for an attacker to pull off. Iím not sure how useful this technique would actually be in the wild, but I hope that Adobe fixes it soon so we donít have to find out," he says.

A day after his blog post was published, Adobe piped up to say that they are working on a fix for the bug and that, if everything goes well, it should be up and running by the end of the week.

"Note that this issue does not involve/require a product update and/or customer action. (In other words, there will not be a security bulletin.) It's a fix we are making on our end online, and it is going to be pushed live as soon as QA has completed their testing," commented an Adobe spokeswoman for CNet, adding that Aboukhadijeh didn't receive a response sooner because he hadn't emailed the Adobe Product Security Incident Response Team directly, but sent the message to an employee who was on a sabbatical.

UPDATE: Adobe has fixed the flaw on Thursday afternoon US Pacific time. No product update or customer interaction is required.






Spotlight

Fighting malware, emerging threats and AI

Posted on 24 November 2014.  |  Liran Tancman is the CEO of CyActive, a predictive cyber security company. In this interview he talks about fighting malware, emerging threats, artificial intelligence and the cloud.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Nov 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //